I'm trying to use AntiSamy to prevent XSS attacks on my site. I downloaded the following jars and added them to "/WEB-INF/lib"
antisamy-1.5.3.jar
nekohtml.jar
xercesImpl-2.5.0.jar
along with a policy file antisamy-slashdot-1.4.4.xml in "/WEB-INF".
I tried to implement a filter through web.xml. A snippet of the servlet I'm using is
public class AntiSamyFilter implements Filter {
private static final Logger LOG = Logger.getLogger(AntiSamyFilter.class);
private final AntiSamy antiSamy;
public AntiSamyFilter() {
try {
URL url = this.getClass().getClassLoader().getResource("antisamy-slashdot-1.4.4.xml");
LOG.info("After getResource");
Policy policy = Policy.getInstance(url.getFile()); //Deployment fails
LOG.info("After Policy");
antiSamy = new AntiSamy(policy);
LOG.info("After antiSamy");
} catch (PolicyException e) {
throw new IllegalStateException(e.getMessage(), e);
}
}
}
The deployment fails after Policy policy = Policy.getInstance(url.getFile());. It's probably because of the path of the policy file.
Can someone please tell me where the policy file should be kept?
The url.getFile part fails because it couldn't find the antisamy-slashdot-1.4.4.xml file. I created a package in src/my/package and changed
URL url = this.getClass().getClassLoader().getResource("antisamy-slashdot-1.4.4.xml");
to
URL url = this.getClass().getClassLoader().getResource("/my/package/antisamy-slashdot-1.4.4.xml");
I also added batik.jar along with the other jar files. It solved my problem