Package org.apache.ofbiz.base.html
Class CustomPermissivePolicy
- java.lang.Object
-
- org.apache.ofbiz.base.html.CustomPermissivePolicy
-
- All Implemented Interfaces:
SanitizerCustomPolicy
public class CustomPermissivePolicy extends java.lang.Object implements SanitizerCustomPolicy
Based on the AntiSamy EBay example. eBay (http://www.ebay.com/) is the most popular online auction site in the universe, as far as I can tell. It is a public site so anyone is allowed to post listings with rich HTML content. It's not surprising that given the attractiveness of eBay as a target that it has been subject to a few complex XSS attacks. Listings are allowed to contain much more rich content than, say, Slashdot- so it's attack surface is considerably larger. The following tags appear to be accepted by eBay (they don't publish rules):<a>
,...
-
-
Field Summary
Fields Modifier and Type Field Description static org.owasp.html.PolicyFactory
POLICY_DEFINITION
A policy that can be used to produce policies that sanitize to HTML sinks viaPolicyFactory.apply(org.owasp.html.HtmlStreamEventReceiver)
.
-
Constructor Summary
Constructors Constructor Description CustomPermissivePolicy()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description org.owasp.html.PolicyFactory
getSanitizerPolicy()
Used for getting the policy from the custom class which implements this interface
-
-
-
Method Detail
-
getSanitizerPolicy
public org.owasp.html.PolicyFactory getSanitizerPolicy()
Description copied from interface:SanitizerCustomPolicy
Used for getting the policy from the custom class which implements this interface- Specified by:
getSanitizerPolicy
in interfaceSanitizerCustomPolicy
- Returns:
- the policy specified in the class will be returned
-
-