Package org.apache.ofbiz.base.html
Class CustomPermissivePolicy
java.lang.Object
org.apache.ofbiz.base.html.CustomPermissivePolicy
- All Implemented Interfaces:
SanitizerCustomPolicy
Based on the AntiSamy
EBay example. eBay (http://www.ebay.com/) is the most
popular online auction site in the universe, as far as I can tell. It is a
public site so anyone is allowed to post listings with rich HTML content.
It's not surprising that given the attractiveness of eBay as a target that it
has been subject to a few complex XSS attacks. Listings are allowed to
contain much more rich content than, say, Slashdot- so it's attack surface is
considerably larger. The following tags appear to be accepted by eBay (they
don't publish rules):
<a>
,...-
Field Summary
Modifier and TypeFieldDescriptionstatic final org.owasp.html.PolicyFactory
A policy that can be used to produce policies that sanitize to HTML sinks viaPolicyFactory.apply(org.owasp.html.HtmlStreamEventReceiver)
. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionorg.owasp.html.PolicyFactory
Used for getting the policy from the custom class which implements this interface
-
Field Details
-
POLICY_DEFINITION
public static final org.owasp.html.PolicyFactory POLICY_DEFINITIONA policy that can be used to produce policies that sanitize to HTML sinks viaPolicyFactory.apply(org.owasp.html.HtmlStreamEventReceiver)
.
-
-
Constructor Details
-
CustomPermissivePolicy
public CustomPermissivePolicy()
-
-
Method Details
-
getSanitizerPolicy
public org.owasp.html.PolicyFactory getSanitizerPolicy()Description copied from interface:SanitizerCustomPolicy
Used for getting the policy from the custom class which implements this interface- Specified by:
getSanitizerPolicy
in interfaceSanitizerCustomPolicy
- Returns:
- the policy specified in the class will be returned
-