AntiSamy為owasp針對xss提供的處理庫,可以配置xml策略來決定過濾的內容,比如標簽、屬性、css等,自定義策略給開發人員使用成本比較高,AntiSamy也提供了幾個內置的策略,其安全級別也不同,過濾的內容也不一樣,下邊是針對自帶的策略的測試。
測試代碼:
package com.didichuxing.hive.client;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
public class RichTextXssTest {
public static void main(String[] args) {
AntiSamy as = new AntiSamy();
try{
//Policy policy = Policy.getInstance("antisamy-slashdot.xml");
Policy policy = Policy.getInstance("antisamy-ebay.xml");
CleanResults cr = as.scan("<img src=http://www.qq.com/a.jpg />", policy);
System.out.print(cr.getCleanHTML() + "1\r\n");
cr = as.scan("<sCript src=http://www.qq.com/a.js />", policy);
System.out.print(cr.getCleanHTML() + "2\r\n");
cr = as.scan("<img src=http://www.qq.com/a.jpg onclick=alert(1) />", policy);
System.out.print(cr.getCleanHTML() + "3\r\n");
cr = as.scan("onfinish=javascript:a=alert;a(1)%3E%3C!—", policy);
System.out.print(cr.getCleanHTML() + "4\r\n");
cr = as.scan("<img src=\"javascript:alert('XSS')\">", policy);
System.out.print(cr.getCleanHTML() + "5\r\n");
cr = as.scan("<IMG src=JaVaScRiPt:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "6\r\n");
cr = as.scan("<IMG src=javascript:alert('XSS')>", policy);
System.out.print(cr.getCleanHTML() + "7\r\n");
cr = as.scan("<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>", policy);
System.out.print(cr.getCleanHTML() + "8\r\n");
cr = as.scan("<A href=http://www.gohttp://www.google.com/ogle.com/>link</A>", policy);
System.out.print(cr.getCleanHTML() + "9\r\n");
cr = as.scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">", policy);
System.out.print(cr.getCleanHTML() + "10\r\n");
}
catch(Exception ex) {
ex.printStackTrace();
} ;
}
}
一共測試了10個payload,測試結果如下:
antisamy-ebay.xml 策略的測試結果
antisamy-slashdot.xml 策略的測試結果:
antisamy-myspace.xml策略的測試結果:
antisamy-tinymce.xml策略的測試結果:
antisamy-anythinggoes.xml策略的測試結果
默認策略antisamy.xml 策略的測試結果:
