forked from danieldbower/grails-sanitizer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
85 lines (61 loc) · 3.1 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
Grails Plugin for Sanitizing Markup using the Antisamy library.
Project HomePage: http://www.grails.org/plugin/sanitizer
Description:
Plugin for Sanitizing Markup(HTML, XHTML, CSS) using OWASP AntiSamy. Filters malicious content from User generated content (such as that entered through Rich Text boxes).
Features
1. Configurable Rulesets in src/groovy/antisamyconfigs/antisamy-policy.xml
2. Constraint "markup"
can be added to domain/command classes to validate that a string is valid and safe markup
important note: The constraint is for validation only, it does not sanitize the string
3. Encoding-only Codec "myText.encodeAsSanitizedMarkup()"
use the codec or the service to sanitize the string
(the codec uses the service, too)
4. MarkupSanitizerService
use the codec or the service to sanitize the string
access in your controllers/services via
def markupSanitizerService
method MarkupSanitizerResult sanitize(String dirtyString)
effectively a singleton, which means the ruleset only needs to be read once on startup
Installation
1. Add to your BuildConfig.groovy:
(For Grails 2.2.x)
build ":sanitizer:0.10.0"
(For Grails 2.3.x)
build ":sanitizer:0.11.0"
(For Grails 2.4.x)
build ":sanitizer:0.12.0"
2. "grails compile" to download/install/compile the plugin
3. From there, you can use antisamy from the MarkupSanitizerServce, the SanitzedMarkupCodec, or the Domain Constraint.
Select a Policy (Optional)
The default policy is quite strict, however, you can modify it in several ways:
1. Run "grails antisamy" to get a list of policies to choose from.
Run "grails antisamy 1" to select the first policy, or the one you want.
2. Do the above and customize the contents of the file at: src/groovy/antisamyconfigs/antisamy-policy.xml
3. Provide your own policy file and add a config item such as:
sanitizer.config = 'antisamyconfigs/antisamy-myspace-1.4.4.xml'
You can add this config value to Config.groovy
sanitizer.trustSanitizer=true
By default, if there is a message given by the sanitizer during cleaning, the sanitizer codec will return an empty string.
Setting trustSanitizer to true will allow you to ignore the messages issued by the sanitizer and just use the output.
Constraint example:
In your domain/command object add a constraint to inform the user if they've submitted invalid markup:
static constraints = {
myTextProperty(maxSize: 65000, markup:true)
}
Codec example:
On strings, you can use the codec to clean a value:
newsItemInstance.text = newsItemInstance.text.encodeAsSanitizedMarkup()
Service Example:
Use the sanitizer as follows in controllers or other services:
import org.grails.plugins.sanitizer.MarkupSanitizerResult
...
// inject service def markupSanitizerService
...
// implement the sanitizer in a method of your choice
MarkupSanitizerResult result = markupSanitizerService.sanitize(input)
if(!result.isInvalidMarkup()) {
//return result.cleanString
} else {
//return result.errorMessages
//return result.cleanString
}