The OWASP Encoder Plugin creates a Velocity viewtool with a number of useful input-sanitization functions. Strategic use of such procedures in Velocity templates can help prevent XSS-based attacks.
Please refer to the General Instructions under Plugin Examples.
Once the plugin is installed, your Velocity context will include a new viewtool accessed by calling
$owasp. Its capabilities can be seen in the table below; each method accepts a string as its input argument.
for... methods perform encoding operations that escape or enclose terminating sequences or similar dangers, and return the modified input. More detailed documentation of these can be found in the Encoder class's Javadoc.
|If input is a valid URL, returns a version sanitized with the |
|Encodes data for an XML CDATA section. Replaces |
|Sanitizes CSS strings using hexidecimal encodings; safe to use in both style blocks and attributes in HTML. Characters: |
|Encodes for CSS URL contexts. The context must be surrounded by |
|Encodes for both HTML text content and text attributes. Note that since this method handles both, it is less efficient than either |
|This method encodes for HTML text attributes. Characters: |
|This method encodes for HTML text content. Characters: |
|Encodes for unquoted HTML attribute values. |
|Encodes for a Java string. This method will use |
|Deprecated. Performs encoding of a URL, assumed valid.|
|Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. Ensures special characters are not interpreted as part of another component.|
|Encoder for XML and XHTML; see |
|Encodes XML attributes; see |
|Encodes XML content; see |
|Encpdes XML comments. Not for use with (X)HTML contexts, as comments may be misinterpreted by browsers.|
The following input results in the subsequent output sequence:
#set($url = "https://www.google.com/search?q=maven+repository&oq=maven&aqs=chrome.1.<script>alert('test');</script>.2855j0j1&sourceid=chrome&ie=UTF-8") $owasp.validateUrl($url) $owasp.forHtmlAttribute($url) $owasp.urlHasXSS($url) $owasp.forHtml("<script>window.location='/bad-url?doBadThings=true';</script>")
``` true https://www.google.com/search?q=maven+repository&oq=maven&aqs=chrome.1.<script>alert('test');</script>.2855j0j1&sourceid=chrome&ie=UTF-8 true <script>window.location='/bad-url?doBadThings=true';</script>