BoxLang 🚀 A New JVM Dynamic Language Learn More...

AntiSamy

v2.1.0+1 Modules


Copyright Since 2005 ColdBox Platform by Luis Majano and Ortus Solutions, Corp
www.coldbox.org | www.ortussolutions.com


WELCOME TO THE ANTISAMY MODULE

OWASP AntiSamy Module that provides XSS cleanup operations to ColdBox applications

LICENSE

Apache License, Version 2.0.

SYSTEM REQUIREMENTS

  • Lucee 5+
  • ColdFusion 2018+

Instructions

Just drop into your modules folder or use the box-cli to install

box install cbantisamy

Usage

The module registers the following mapping in WireBox: antisamy@cbantisamy that you can use to clean input a-la-carte intrusions. You can also activate different policies and an auto clean interceptor that will clean incoming variables for you automatically. The main methods to clean input are:

/**
 * Clean HTML from XSS scripts using the AntiSamy project. The available policies are basic, antisamy, ebay, myspace, slashdot, custom
 *
 * @htmlData   The html data to clean
 * @policyFile The policy file to use. Defaults to the one in the configuration file
 *
 * @return sanitized html data
 */
string function clean( required htmlData, string policyFile = variables.defaultPolicy )

/**
 * Checks whether HTML is safe from XSS scripts using the AntiSamy project. The available policies are basic, antisamy, ebay, myspace, slashdot, custom
 *
 * @htmlData   The html data to clean
 * @policyFile The policy file to use. Defaults to the one in the configuration file
 *
 * @return True if it is safe, false if not
 */
boolean function check( required htmlData, string policyFile = variables.defaultPolicy )

You can also use the two registered helper methods which delegate to the two methods above:

  • antisamyClean()
  • antisamyCheck()

Settings

Here are the module settings you can place in your ColdBox.cfc under an antisamy structure

// Antisamy settings
moduleSettings = {
    "cbantisamy" : {
        // Activate auto request capture cleanups interceptor
        autoClean = true,
        // Default Policy to use, available are: antisamy, ebay, myspace, slashdot and tinymce
        defaultPolicy = "ebay",
        // Custom Policy absolute path, leave empty if not used
        customPolicy = ""
    }
};

You can read more about AntiSamy here: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project


Copyright Since 2005 ColdBox Framework by Ortus Solutions, Corp www.ortussolutions.com


HONOR GOES TO GOD ABOVE ALL

Because of His grace, this project exists. If you don't like this, then don't read it, its not for you.

"Therefore being justified by faith, we have peace with God through our Lord Jesus Christ: By whom also we have access by faith into this grace wherein we stand, and rejoice in hope of the glory of God. And not only so, but we glory in tribulations also: knowing that tribulation worketh patience; And patience, experience; and experience, hope: And hope maketh not ashamed; because the love of God is shed abroad in our hearts by the Holy Ghost which is given unto us. ." Romans 5:5

THE DAILY BREAD

"I am the way, and the truth, and the life; no one comes to the Father, but by me (JESUS)" Jn 14:1-12

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.


Unreleased

2.1.0 - 2023-04-20

Added

  • Github actions
  • Github supprt files
  • Upgraded to AntiSamy 1.7.3

[2.0.0] => 2022-01

Changed

  • Changes the HTMLSanitizer method to use the native adobe getSafeHTML() and isSafeHTML() methods when on ACF
  • Updates module registration to use the Coldbox 5+ conventions ( Module configuration now nested in moduleSettings )
  • Changes the autoClean module configuration setting to default to true. This is opinionated but also makes this module more "plug and play"
  • Adds a basic policy file. This policy file is the same default policy file used by ACF
  • Renames the resultsObject argument in HTMLSanitizer.cfc method to check and changes it to return a boolean, to allow for consistent return types between ACF and Lucee
  • Remove the check argument from the clean method and adds a check method in AntiSamy.cfc

Updated

  • Converts the build process to GitHub actions
  • Github repo slug was changed from cbox-antisamy to cbantisamy to allow the default CI scripts and request variables to work without major modification
  • Separates the Unit and Interceptor tests
  • Updates the AntiSamy JAR to v1.6.4

Added

  • New helper methods: antisamyClean(), antisamyCheck()
  • Adds additional tests for return types

[1.4.0] => 2017-03

Updated

  • Updated fixes on readme and assets
  • Update of all dependencies
  • Updated antisamy to version 1.5.7

[1.3.1] => 2017-03

Updated

  • Unified workbench

[1.3.0] => 2016-03

Updated

  • Updated build process
  • Travis integration
  • JavaLoader dependencies updated
  • DocBox udpates

[1.2.0] => 2015-08

Updated

  • Updated readme locations
  • Autoclean property not respecting proper boolean value
  • Updated build process to CommandBox

[1.1.0] => 2015-08

Updated

  • Invalid slug id, so CommandBox was getting confused on installations

Changed

  • Defaults for configuration setup differently to avoid collisions

[1.0.0] => 2014-11

Added

  • Create first module version

$ box install cbantisamy

No collaborators yet.
   
5.00 / 2
  • {{ getFullDate("2014-04-15T12:41:43Z") }}
  • {{ getFullDate("2023-04-20T12:23:31Z") }}
  • 10,390
  • 100,304