Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A method for stripping out HTML code that could cause XSS
package gov.ehawaii.swhv.utils;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import lombok.NonNull;
public final class SecurityUtils {
private final static List<String> MALICIOUS_STRING_LIST = new ArrayList<>();
static {
MALICIOUS_STRING_LIST.add("(?i)<.*?script.*?>.*?</.*?>");
MALICIOUS_STRING_LIST.add("(?i)<.*?script.*?\\s+.*?/script.*?>");
MALICIOUS_STRING_LIST.add("(?i)<.*?javascript:.*?>.*?</.*?>");
MALICIOUS_STRING_LIST.add("(?i)<.*?\\s+on.*?>.*?</.*?>");
MALICIOUS_STRING_LIST.add("(?i)<object.*?>.*?</object.*?>");
MALICIOUS_STRING_LIST.add("(?i)<.*?object:.*?>.*?</.*?>");
MALICIOUS_STRING_LIST.add("(?i)<applet.*?>.*?</applet.*?>");
MALICIOUS_STRING_LIST.add("(?i)<.*?applet:.*?>.*?</.*?>");
MALICIOUS_STRING_LIST.add("(?i)<embed.*?>.*?</embed.*?>");
MALICIOUS_STRING_LIST.add("(?i)<.*?embed:.*?>.*?</.*?>");
MALICIOUS_STRING_LIST.add("(?i)<form.*?>.*?</form.*?>");
MALICIOUS_STRING_LIST.add("(?i)<.*?form:.*?>.*?</.*?>");
MALICIOUS_STRING_LIST.add("(?i)<.*?\\f+on.*?>.*?</.*?>");
MALICIOUS_STRING_LIST.add("(?i)onabort");
MALICIOUS_STRING_LIST.add("(?i)onactivate");
MALICIOUS_STRING_LIST.add("(?i)onafterprint");
MALICIOUS_STRING_LIST.add("(?i)onafterupdate");
MALICIOUS_STRING_LIST.add("(?i)onbeforeactivate");
MALICIOUS_STRING_LIST.add("(?i)onbeforecopy");
MALICIOUS_STRING_LIST.add("(?i)onbeforecut");
MALICIOUS_STRING_LIST.add("(?i)onbeforedeactivate");
MALICIOUS_STRING_LIST.add("(?i)onbeforeeditfocus");
MALICIOUS_STRING_LIST.add("(?i)onbeforepaste");
MALICIOUS_STRING_LIST.add("(?i)onbeforeprint");
MALICIOUS_STRING_LIST.add("(?i)onbeforeunload");
MALICIOUS_STRING_LIST.add("(?i)onbeforeupdate");
MALICIOUS_STRING_LIST.add("(?i)onblur");
MALICIOUS_STRING_LIST.add("(?i)onbounce");
MALICIOUS_STRING_LIST.add("(?i)oncellchange");
MALICIOUS_STRING_LIST.add("(?i)onchange");
MALICIOUS_STRING_LIST.add("(?i)onclick");
MALICIOUS_STRING_LIST.add("(?i)oncontextmenu");
MALICIOUS_STRING_LIST.add("(?i)oncontrolselect");
MALICIOUS_STRING_LIST.add("(?i)oncopy");
MALICIOUS_STRING_LIST.add("(?i)oncut");
MALICIOUS_STRING_LIST.add("(?i)ondataavailable");
MALICIOUS_STRING_LIST.add("(?i)ondatasetchanged");
MALICIOUS_STRING_LIST.add("(?i)ondatasetcomplete");
MALICIOUS_STRING_LIST.add("(?i)ondblclick");
MALICIOUS_STRING_LIST.add("(?i)ondeactivate");
MALICIOUS_STRING_LIST.add("(?i)ondrag");
MALICIOUS_STRING_LIST.add("(?i)ondragend");
MALICIOUS_STRING_LIST.add("(?i)ondragenter");
MALICIOUS_STRING_LIST.add("(?i)ondragleave");
MALICIOUS_STRING_LIST.add("(?i)ondragover");
MALICIOUS_STRING_LIST.add("(?i)ondragstart");
MALICIOUS_STRING_LIST.add("(?i)ondrop");
MALICIOUS_STRING_LIST.add("(?i)onerror");
MALICIOUS_STRING_LIST.add("(?i)onerrorupdate");
MALICIOUS_STRING_LIST.add("(?i)onfilterchange");
MALICIOUS_STRING_LIST.add("(?i)onfinish");
MALICIOUS_STRING_LIST.add("(?i)onfocus");
MALICIOUS_STRING_LIST.add("(?i)onfocusin");
MALICIOUS_STRING_LIST.add("(?i)onfocusout");
MALICIOUS_STRING_LIST.add("(?i)onhelp");
MALICIOUS_STRING_LIST.add("(?i)onkeydown");
MALICIOUS_STRING_LIST.add("(?i)onkeypress");
MALICIOUS_STRING_LIST.add("(?i)onkeyup");
MALICIOUS_STRING_LIST.add("(?i)onlayoutcomplete");
MALICIOUS_STRING_LIST.add("(?i)onload");
MALICIOUS_STRING_LIST.add("(?i)onlosecapture");
MALICIOUS_STRING_LIST.add("(?i)onmousedown");
MALICIOUS_STRING_LIST.add("(?i)onmouseenter");
MALICIOUS_STRING_LIST.add("(?i)onmouseleave");
MALICIOUS_STRING_LIST.add("(?i)onmousemove");
MALICIOUS_STRING_LIST.add("(?i)onmouseout");
MALICIOUS_STRING_LIST.add("(?i)onmouseover");
MALICIOUS_STRING_LIST.add("(?i)onmouseup");
MALICIOUS_STRING_LIST.add("(?i)onmousewheel");
MALICIOUS_STRING_LIST.add("(?i)onmove");
MALICIOUS_STRING_LIST.add("(?i)onmoveend");
MALICIOUS_STRING_LIST.add("(?i)onmovestart");
MALICIOUS_STRING_LIST.add("(?i)onpaste");
MALICIOUS_STRING_LIST.add("(?i)onpropertychange");
MALICIOUS_STRING_LIST.add("(?i)onreadystatechange");
MALICIOUS_STRING_LIST.add("(?i)onreset");
MALICIOUS_STRING_LIST.add("(?i)onresize");
MALICIOUS_STRING_LIST.add("(?i)onresizeend");
MALICIOUS_STRING_LIST.add("(?i)onresizestart");
MALICIOUS_STRING_LIST.add("(?i)onrowenter");
MALICIOUS_STRING_LIST.add("(?i)onrowexit");
MALICIOUS_STRING_LIST.add("(?i)onrowsdelete");
MALICIOUS_STRING_LIST.add("(?i)onrowsinserted");
MALICIOUS_STRING_LIST.add("(?i)onscroll");
MALICIOUS_STRING_LIST.add("(?i)onselect");
MALICIOUS_STRING_LIST.add("(?i)onselectionchange");
MALICIOUS_STRING_LIST.add("(?i)onselectstart");
MALICIOUS_STRING_LIST.add("(?i)onstart");
MALICIOUS_STRING_LIST.add("(?i)onstop");
MALICIOUS_STRING_LIST.add("(?i)onsubmit");
MALICIOUS_STRING_LIST.add("(?i)onunload");
};
private SecurityUtils() {
}
/**
* Reference: https://github.com/sotheareth/XSS-Filter-Spring
*
* @param val The value to sanitize.
* @return A sanitized string.
*/
public static String stripXSS(@NonNull final String val) {
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
String value = scriptPattern.matcher(val).replaceAll("");
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
for (String maliciousString : MALICIOUS_STRING_LIST) {
value = value.replaceAll(maliciousString, "");
}
return value;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.