Create infrastructure for XSS sanitization

author: James Moger <james.moger@gitblit.com> 2014-09-06 11:25:42 -0400
committer: James Moger <james.moger@gitblit.com> 2014-09-07 11:42:40 -0400
commit: fc3a39d464b1303f0b7d01d0160f81cbbb80a98b (patch)
tree: 9a45d2f99aa1393198e8610221eb51e982e0d5af /src/main/java/com/gitblit/utils
parent: 90eb5a08ddd6a3a246e8b73da9524c304838928a (diff)
download: gitblit-fc3a39d464b1303f0b7d01d0160f81cbbb80a98b.tar.gz
gitblit-fc3a39d464b1303f0b7d01d0160f81cbbb80a98b.zip
2 files changed, 151 insertions, 0 deletions
diff --git a/src/main/java/com/gitblit/utils/JSoupXssFilter.java b/src/main/java/com/gitblit/utils/JSoupXssFilter.java
new file mode 100644
index 00000000..b07bcb9d
--- /dev/null
+++ b/src/main/java/com/gitblit/utils/JSoupXssFilter.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.utils;
+
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.safety.Cleaner;
+import org.jsoup.safety.Whitelist;
+
+/**
+ * Implementation of an XSS filter based on JSoup.
+ *
+ * @author James Moger
+ *
+ */
+public class JSoupXssFilter implements XssFilter {
+
+	 private final Cleaner none;
+
+	 private final Cleaner relaxed;
+
+	 public JSoupXssFilter() {
+		 none = new Cleaner(Whitelist.none());
+		 relaxed = new Cleaner(getRelaxedWhiteList());
+	}
+
+	@Override
+	public String none(String input) {
+		return clean(input, none);
+	}
+
+	@Override
+	public String relaxed(String input) {
+		return clean(input, relaxed);
+	}
+
+	protected String clean(String input, Cleaner cleaner) {
+		Document unsafe = Jsoup.parse(input);
+		Document safe = cleaner.clean(unsafe);
+		return safe.body().html();
+	}
+
+	/**
+	 * Builds & returns a loose HTML whitelist similar to Github.
+	 *
+	 * https://github.com/github/markup/tree/master#html-sanitization
+	 * @return a loose HTML whitelist
+	 */
+	protected Whitelist getRelaxedWhiteList() {
+		return new Whitelist()
+        .addTags(
+                "a", "b", "blockquote", "br", "caption", "cite", "code", "col",
+                "colgroup", "dd", "del", "div", "dl", "dt", "em", "h1", "h2", "h3", "h4", "h5", "h6", "hr",
+                "i", "img", "ins", "kbd", "li", "ol", "p", "pre", "q", "samp", "small", "strike", "strong",
+                "sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "tt", "u",
+                "ul", "var")
+
+        .addAttributes("a", "href", "title")
+        .addAttributes("blockquote", "cite")
+        .addAttributes("col", "span", "width")
+        .addAttributes("colgroup", "span", "width")
+        .addAttributes("img", "align", "alt", "height", "src", "title", "width")
+        .addAttributes("ol", "start", "type")
+        .addAttributes("q", "cite")
+        .addAttributes("table", "summary", "width")
+        .addAttributes("td", "abbr", "axis", "colspan", "rowspan", "width")
+        .addAttributes("th", "abbr", "axis", "colspan", "rowspan", "scope", "width")
+        .addAttributes("ul", "type")
+
+        .addEnforcedAttribute("a", "rel", "nofollow")
+        ;
+	}
+
+}
diff --git a/src/main/java/com/gitblit/utils/XssFilter.java b/src/main/java/com/gitblit/utils/XssFilter.java
new file mode 100644
index 00000000..20b51057
--- /dev/null
+++ b/src/main/java/com/gitblit/utils/XssFilter.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2014 gitblit.com.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gitblit.utils;
+
+/**
+ * Defines the contract for an XSS filter implementation.
+ *
+ * @author James Moger
+ *
+ */
+public interface XssFilter {
+
+	/**
+	 * Returns a filtered version of the input value that contains no html
+	 * elements.
+	 *
+	 * @param input
+	 * @return a plain text value
+	 */
+	String none(String input);
+
+	/**
+	 * Returns a filtered version of the input that contains structural html
+	 * elements.
+	 *
+	 * @param input
+	 * @return a filtered html value
+	 */
+	String relaxed(String input);
+
+	/**
+	 * A NOOP XSS filter.
+	 *
+	 * @author James Moger
+	 *
+	 */
+	public class AllowXssFilter implements XssFilter {
+
+		@Override
+		public String none(String input) {
+			return input;
+		}
+
+		@Override
+		public String relaxed(String input) {
+			return input;
+		}
+
+	}
+
+}
author	James Moger <james.moger@gitblit.com>	2014-09-06 11:25:42 -0400
committer	James Moger <james.moger@gitblit.com>	2014-09-07 11:42:40 -0400
commit	fc3a39d464b1303f0b7d01d0160f81cbbb80a98b (patch)
tree	9a45d2f99aa1393198e8610221eb51e982e0d5af /src/main/java/com/gitblit/utils
parent	90eb5a08ddd6a3a246e8b73da9524c304838928a (diff)
download	gitblit-fc3a39d464b1303f0b7d01d0160f81cbbb80a98b.tar.gz gitblit-fc3a39d464b1303f0b7d01d0160f81cbbb80a98b.zip