Created
December 14, 2018 23:01
-
-
Save bjpeterdelacruz/451f2ded5799900aeb48cdd6962d3a3b to your computer and use it in GitHub Desktop.
A method for stripping out HTML code that could cause XSS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package gov.ehawaii.swhv.utils; | |
import java.util.ArrayList; | |
import java.util.List; | |
import java.util.regex.Pattern; | |
import lombok.NonNull; | |
public final class SecurityUtils { | |
private final static List<String> MALICIOUS_STRING_LIST = new ArrayList<>(); | |
static { | |
MALICIOUS_STRING_LIST.add("(?i)<.*?script.*?>.*?</.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<.*?script.*?\\s+.*?/script.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<.*?javascript:.*?>.*?</.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<.*?\\s+on.*?>.*?</.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<object.*?>.*?</object.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<.*?object:.*?>.*?</.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<applet.*?>.*?</applet.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<.*?applet:.*?>.*?</.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<embed.*?>.*?</embed.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<.*?embed:.*?>.*?</.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<form.*?>.*?</form.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<.*?form:.*?>.*?</.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)<.*?\\f+on.*?>.*?</.*?>"); | |
MALICIOUS_STRING_LIST.add("(?i)onabort"); | |
MALICIOUS_STRING_LIST.add("(?i)onactivate"); | |
MALICIOUS_STRING_LIST.add("(?i)onafterprint"); | |
MALICIOUS_STRING_LIST.add("(?i)onafterupdate"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforeactivate"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforecopy"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforecut"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforedeactivate"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforeeditfocus"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforepaste"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforeprint"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforeunload"); | |
MALICIOUS_STRING_LIST.add("(?i)onbeforeupdate"); | |
MALICIOUS_STRING_LIST.add("(?i)onblur"); | |
MALICIOUS_STRING_LIST.add("(?i)onbounce"); | |
MALICIOUS_STRING_LIST.add("(?i)oncellchange"); | |
MALICIOUS_STRING_LIST.add("(?i)onchange"); | |
MALICIOUS_STRING_LIST.add("(?i)onclick"); | |
MALICIOUS_STRING_LIST.add("(?i)oncontextmenu"); | |
MALICIOUS_STRING_LIST.add("(?i)oncontrolselect"); | |
MALICIOUS_STRING_LIST.add("(?i)oncopy"); | |
MALICIOUS_STRING_LIST.add("(?i)oncut"); | |
MALICIOUS_STRING_LIST.add("(?i)ondataavailable"); | |
MALICIOUS_STRING_LIST.add("(?i)ondatasetchanged"); | |
MALICIOUS_STRING_LIST.add("(?i)ondatasetcomplete"); | |
MALICIOUS_STRING_LIST.add("(?i)ondblclick"); | |
MALICIOUS_STRING_LIST.add("(?i)ondeactivate"); | |
MALICIOUS_STRING_LIST.add("(?i)ondrag"); | |
MALICIOUS_STRING_LIST.add("(?i)ondragend"); | |
MALICIOUS_STRING_LIST.add("(?i)ondragenter"); | |
MALICIOUS_STRING_LIST.add("(?i)ondragleave"); | |
MALICIOUS_STRING_LIST.add("(?i)ondragover"); | |
MALICIOUS_STRING_LIST.add("(?i)ondragstart"); | |
MALICIOUS_STRING_LIST.add("(?i)ondrop"); | |
MALICIOUS_STRING_LIST.add("(?i)onerror"); | |
MALICIOUS_STRING_LIST.add("(?i)onerrorupdate"); | |
MALICIOUS_STRING_LIST.add("(?i)onfilterchange"); | |
MALICIOUS_STRING_LIST.add("(?i)onfinish"); | |
MALICIOUS_STRING_LIST.add("(?i)onfocus"); | |
MALICIOUS_STRING_LIST.add("(?i)onfocusin"); | |
MALICIOUS_STRING_LIST.add("(?i)onfocusout"); | |
MALICIOUS_STRING_LIST.add("(?i)onhelp"); | |
MALICIOUS_STRING_LIST.add("(?i)onkeydown"); | |
MALICIOUS_STRING_LIST.add("(?i)onkeypress"); | |
MALICIOUS_STRING_LIST.add("(?i)onkeyup"); | |
MALICIOUS_STRING_LIST.add("(?i)onlayoutcomplete"); | |
MALICIOUS_STRING_LIST.add("(?i)onload"); | |
MALICIOUS_STRING_LIST.add("(?i)onlosecapture"); | |
MALICIOUS_STRING_LIST.add("(?i)onmousedown"); | |
MALICIOUS_STRING_LIST.add("(?i)onmouseenter"); | |
MALICIOUS_STRING_LIST.add("(?i)onmouseleave"); | |
MALICIOUS_STRING_LIST.add("(?i)onmousemove"); | |
MALICIOUS_STRING_LIST.add("(?i)onmouseout"); | |
MALICIOUS_STRING_LIST.add("(?i)onmouseover"); | |
MALICIOUS_STRING_LIST.add("(?i)onmouseup"); | |
MALICIOUS_STRING_LIST.add("(?i)onmousewheel"); | |
MALICIOUS_STRING_LIST.add("(?i)onmove"); | |
MALICIOUS_STRING_LIST.add("(?i)onmoveend"); | |
MALICIOUS_STRING_LIST.add("(?i)onmovestart"); | |
MALICIOUS_STRING_LIST.add("(?i)onpaste"); | |
MALICIOUS_STRING_LIST.add("(?i)onpropertychange"); | |
MALICIOUS_STRING_LIST.add("(?i)onreadystatechange"); | |
MALICIOUS_STRING_LIST.add("(?i)onreset"); | |
MALICIOUS_STRING_LIST.add("(?i)onresize"); | |
MALICIOUS_STRING_LIST.add("(?i)onresizeend"); | |
MALICIOUS_STRING_LIST.add("(?i)onresizestart"); | |
MALICIOUS_STRING_LIST.add("(?i)onrowenter"); | |
MALICIOUS_STRING_LIST.add("(?i)onrowexit"); | |
MALICIOUS_STRING_LIST.add("(?i)onrowsdelete"); | |
MALICIOUS_STRING_LIST.add("(?i)onrowsinserted"); | |
MALICIOUS_STRING_LIST.add("(?i)onscroll"); | |
MALICIOUS_STRING_LIST.add("(?i)onselect"); | |
MALICIOUS_STRING_LIST.add("(?i)onselectionchange"); | |
MALICIOUS_STRING_LIST.add("(?i)onselectstart"); | |
MALICIOUS_STRING_LIST.add("(?i)onstart"); | |
MALICIOUS_STRING_LIST.add("(?i)onstop"); | |
MALICIOUS_STRING_LIST.add("(?i)onsubmit"); | |
MALICIOUS_STRING_LIST.add("(?i)onunload"); | |
}; | |
private SecurityUtils() { | |
} | |
/** | |
* Reference: https://github.com/sotheareth/XSS-Filter-Spring | |
* | |
* @param val The value to sanitize. | |
* @return A sanitized string. | |
*/ | |
public static String stripXSS(@NonNull final String val) { | |
// Avoid anything between script tags | |
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); | |
String value = scriptPattern.matcher(val).replaceAll(""); | |
// Avoid anything in a src='...' type of expression | |
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
// Remove any lonesome </script> tag | |
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
// Remove any lonesome <script ...> tag | |
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
// Avoid eval(...) expressions | |
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
// Avoid expression(...) expressions | |
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
// Avoid javascript:... expressions | |
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
// Avoid vbscript:... expressions | |
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
// Avoid onload= expressions | |
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
value = scriptPattern.matcher(value).replaceAll(""); | |
for (String maliciousString : MALICIOUS_STRING_LIST) { | |
value = value.replaceAll(maliciousString, ""); | |
} | |
return value; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment