Scribd
Upload
161 views

Xss Cheat Sheet

This document provides examples and documentation on how to use the XSSAPI service to prevent cross-site scripting attacks in AEM applications. It includes code samples demonstrating how to get an XSSAPI instance from the request or resource resolver and use its encoding, filtering, and validation methods. The philosophy section emphasizes encoding all output, using a validator for attributes like href instead of just encoding, and to never write your own encoding/filtering methods.

Uploaded by

Rodry Mmni
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
161 views

Xss Cheat Sheet

This document provides examples and documentation on how to use the XSSAPI service to prevent cross-site scripting attacks in AEM applications. It includes code samples demonstrating how to get an XSSAPI instance from the request or resource resolver and use its encoding, filtering, and validation methods. The philosophy section emphasizes encoding all output, using a validator for attributes like href instead of just encoding, and to never write your own encoding/filtering methods.

Uploaded by

Rodry Mmni
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Examples

Example API usages for the most common contexts


<%
String title = request.getParameter(title);
String alertText = request.getParameter(alertText);
String link = request.getParameter(link);
String fontSize = request.getParameter(fontSize);
String className = request.getParameter(className);
XSSAPI myXssAPI = xssAPI.getRequestSpecifcAPI(request);
%>
<%@ include fle=/libs/foundation/global.jsp %>
<html>
<head><title><%= xssAPI.encodeForHTML(title); %></title></head>
<body>
<p><%= xssAPI.flterHTML(Text with legitimate <b>HTML</b> Tags); %>
</p>
<font size=<%= xssAPI.getValidInteger(fontSize); %>>
<a href=<%= myXssAPI.getValidHref(link) %> >click me</a>
</font>
<span class=<%= xssAPI.encodeForHTMLAttr(className); %>>
<cq:text property=jcr:description tagName=p escapeXml=true>
</span>
<script>alert(<%= xssAPI.encodeForJSString(alertText); %>);
</script>
</body>
</html>
Some exploit strings for testing
HTML attributes
Node namest
JSON Attributes
HTML tags
2013 Adobe Systems, Incorporated.
><script>alert(23);</script>
><img src=bogus onError=alert(23)>
</script><script>alert(23);</script>
See also: OWASP XSS Filter Evasion Cheat Sheet
};alert(23);a={a:
CQ/GRANITE ENGINEERING
XSS Cheat Sheet
How to get the XSSAPI Service?
Philosophy
<%@ include fle=/libs/foundation/global.jsp %>
<title><%= xssAPI.encodeForHTML(title); %></title>
import com.adobe.granite.xss.XSSAPI;

public class MyClass {
private void myFunction(ResourceResolver resourceResolver) {
XSSAPI xssAPI = resourceResolver.adaptTo(XSSAPI.Class);
}
}
Java component
Java
JSP
import com.adobe.granite.xss.XSSAPI;
@Reference
private XSSAPI xssAPI;
- Allow all input - Encode all output
Do not flter or encode input that gets stored but always protect the user on output.
- Encode at the very end
Encode the output-statement itself not intermediate values, so it is always obvious that an output
statement is not dangerous, and you know you are encoding for the right context.
- Dont think too much
Encode the content no matter where it is coming from. Your code might be copied or included, and the
ACLs on the property might change.
- Never do it yourself
Never write the encoding/fltering methods yourself. XSS encoding is very diffcult and error prone. If
something is missing in the library, please fle a bug.
- Prefer a validator to an encoder
Some situations, such as href and src attributes, MUST use a validator
Taglib
Taglib
<cq:text property=jcr:title tagName=h2 escapeXml=true>
// Filter a string using the AntiSamy library to allow certain tags
public String flterHTML(String source);
// Use one of these to get an XSSAPI suitable for validating URLs
public XSSAPI getRequestSpecifcAPI(SlingHttpServletRequest request);
public XSSAPI getResourceResolverSpecifcAPI(ResourceResolver resolver);
Filters
JCR based URL mapping
// Encode string to use inside an HTML tag
public String encodeForHTML(String source);

// Encode string to use inside an HTML attribute
public String encodeForHTMLAttr(String source);

// Encode string to use inside an XML tag
public String encodeForXML(String source);

// Encode string to use inside an XML attribute
public String encodeForXMLAttr(String source);

// Encode string to use as a JavaScript string
public String encodeForJSString(String source);
Encoders
// Get a valid dimension (e.g. an image width parameter)
public String getValidDimension(String dimension, String defaultValue);

// Get a valid URL (Needs request-/resourceresolver specifc API, see below)
public String getValidHref(String url);

// Get a valid integer from a string
public Integer getValidInteger(String integer, int defaultValue);

// Get a valid long from a string
public Long getValidLong(String long, long defaultValue);

// Validate a Javascript token.
// The value must be either a single identifer, a literal number, or a literal string.
public String getValidJSToken(String token, String defaultValue);
Validators
XSSAPI: Methods
2013 Adobe Systems, Incorporated.

You might also like