Win a copy of The Way of the Web Tester: A Beginner's Guide to Automating Tests this week in the Testing forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Prevent Xss injection in user generated content, JSOUP

Cedric Bosch
Ranch Hand
Posts: 92
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm writing sort of an "what you see is what you get " editor where user can post image with style, tables and also charts from the google API.

To prevent XSS injection I was thinking about using JSOUP together with a mark up language I would create specifically for the task. Since I'm a bit new to this XSS thing ( I use jsf which is well equipped against it) I was hoping I could have tips or
if someone could put me on the right track as I'm not totally sure using my own mark up language is needed and if JSOUP alone could do what I want. I did test JSOUP a bit but I'm not completly understanding it so far, as vanilla whitelists are not enough
to do what I'm trying to do and I'm a bit afraid of adding tags to the whitelist. So is using my own markup language safer ?

The content of what an user could submit could look like this: (I took this directly from the dev tool consol so this is an actual output, I just formatted it - and removed most of the code- if you notice br tags aren't closing that's not me, that's google).

Thanks for the help if any.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic