By default, the Oracle Commerce Platform is configured to use the /atg/dynamo/servlet/security/XSSParameterValidator
component, of class atg.servlet.security.param.XSSParameterValidator
, for filtering both query parameters and POST parameters. XSSParameterValidator
uses the OWASP Java HTML Sanitizer library to filter query parameters. This code implements sanitizer policies that specify criteria for determining what tags and attributes are considered suspicious or risky. If a request parameter’s value includes HTML that is not explicitly permitted by the active policies, the request is rejected and a 403 Forbidden error is returned.
XSSParameterValidator
has a policyHolder
property that specifies the component that defines the policies in use. This component must be of a class that implements the atg.servlet.security.param.XSSParameterPolicyHolder
interface. By default, the policyHolder
property is set to /atg/dynamo/servlet/security/XSSParameterPolicyHolder
, of class atg.servlet.security.param.DefaultXSSParameterPolicyHolder
.
The XSSParameterPolicyHolder
interface defines a single method, getPolicies()
. XSSParameterPolicyHolder
also defines a static member variable, PREPKGD_POLICIES
, whose value is formed by concatenating the values of four static member variables defined in the org.owasp.html.Sanitizers
class. These variables are instances of class org.owasp.html.PolicyFactory
, and each implements a specific sanitizer policy:
BLOCKS
(allows HTML elements<p>
,<div>
,<h1>
,<h2>
,<h3>
,<h4>
,<h5>
,<h6>
,<ul>
,<ol>
,<li>
,<blockquote>
)FORMATTING
(allows HTML elements<b>
,<i
,<font>
,<s>
,<u>
,<o>
,<sup>
,<sub>
,<ins>
,<del>
,<strong>
,<strike>
,<tt>
,<code>
,<big>
,<small>
,<br>
,<span>
)LINKS
(allows standard protocolshttp
,https
,mailto
, and relative links)STYLES
(allows safe CSS properties)
The implementation of the getPolicies()
method in the DefaultXSSParameterPolicyHolder
class returns the policies encapsulated by PREPKGD_POLICIES
:
public List<PolicyFactory> getPolicies() { List<PolicyFactory> policies = new ArrayList<PolicyFactory>(); policies.add(PREPKGD_POLICIES); return policies; }
For information about the OWASP Java HTML Sanitizer Project, see https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project.