By default, the Oracle Commerce Platform is configured to use the /atg/dynamo/servlet/security/XSSParameterValidator component, of class atg.servlet.security.param.XSSParameterValidator, for filtering both query parameters and POST parameters. XSSParameterValidator uses the OWASP Java HTML Sanitizer library to filter query parameters. This code implements sanitizer policies that specify criteria for determining what tags and attributes are considered suspicious or risky. If a request parameter’s value includes HTML that is not explicitly permitted by the active policies, the request is rejected and a 403 Forbidden error is returned.

XSSParameterValidator has a policyHolder property that specifies the component that defines the policies in use. This component must be of a class that implements the atg.servlet.security.param.XSSParameterPolicyHolder interface. By default, the policyHolder property is set to /atg/dynamo/servlet/security/XSSParameterPolicyHolder, of class atg.servlet.security.param.DefaultXSSParameterPolicyHolder.

The XSSParameterPolicyHolder interface defines a single method, getPolicies(). XSSParameterPolicyHolder also defines a static member variable, PREPKGD_POLICIES, whose value is formed by concatenating the values of four static member variables defined in the org.owasp.html.Sanitizers class. These variables are instances of class org.owasp.html.PolicyFactory, and each implements a specific sanitizer policy:

The implementation of the getPolicies() method in the DefaultXSSParameterPolicyHolder class returns the policies encapsulated by PREPKGD_POLICIES:

public List<PolicyFactory> getPolicies() {
    List<PolicyFactory> policies =  new ArrayList<PolicyFactory>();
    policies.add(PREPKGD_POLICIES);
    return policies;
    }

For information about the OWASP Java HTML Sanitizer Project, see https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project.