Implementing Custom Policies

You can customize the sanitizer policies used by the XSSParameterValidator component by writing your own policy holder class, creating a Nucleus component of this class, and setting the XSSParameterValidator component’s policyHolder property to this custom component. To create a policy holder class, you can either write a new class that implements the XSSParameterPolicyHolder interface or subclass DefaultXSSParameterPolicyHolder. Your policy holder class can use the PREPKGD_POLICIES variable to incorporate the policies discussed above, and also use org.owasp.html.HtmlPolicyBuilder and other OWASP classes to create additional policies.

The atg.servlet.security.param.CustomXSSParameterPolicyHolder class provides an example of a custom policy holder. It defines a static member variable named STYLE_POLICY_DEFINITION, built using the org.owasp.html.HtmlPolicyBuilder class, that encapsulates a policy which allows the use of the style attribute in HTML <p> tags. The getPolicies() method of CustomXSSParameterPolicyHolder returns this policy as well as the policies encapsulated by PREPKGD_POLICIES:

public static final PolicyFactory STYLE_POLICY_DEFINITION = new
    HtmlPolicyBuilder()
                    .allowAttributes("style").globally()
                    .allowElements("p")
                    .toFactory();
public List<PolicyFactory> getPolicies() {
  List<PolicyFactory> policies = new ArrayList<PolicyFactory>();
  policies.add(PREPKGD_POLICIES);
  policies.add(STYLE_POLICY_DEFINITION);
  return policies;
  }
Configuring a Custom Policy Holder

Configure your custom policy holder component as follows:

  1. Create a properties file for the component and place it in a directory in the CONFIGPATH, such as <ATG11dir>/home/localconfig/mycomponents/
    MyXSSParameterPolicyHolder.properties    . Configure the component’s $class property to point to your custom class, and its $classloader property to point to the /atg/dynamo/servlet/security/XSSClassLoaderService component. For example:

    $class=myclasses.MyXSSParameterPolicyHolder
    $classloader=/atg/dynamo/servlet/security/XSSClassLoaderService

  2. Configure the /atg/dynamo/servlet/security/XSSParameterValidator component to use your custom policy holder by setting its policyHolder property to your new component. For example:

    policyHolder=/mycomponents/MyXSSParameterPolicyHolder

  3. Configure the XSSClassLoaderService component to load your class file by adding the location of the file to the classPathFiles property and adding the class to the childFirstPrefixes property. For example:

    classPathFiles+=mylib/
    childFirstPrefixes+=myclasses/MyXSSParameterPolicyHolder.class

Copyright © 1997, 2016 Oracle and/or its affiliates. All rights reserved. Legal Notices