I am trying to add all XSS validation in my project, I have added below Parameter validation filter in Web.xml
<filter>
<filter-name>ParameterValidationFilter</filter-name>
<filter-class>com.matthewcasperson.validation.filter.ParameterValidationFilter</filter-class>
<init-param>
<param-name>configFile</param-name>
<param-value>/WEB-INF/xml/pvf.xml</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ParameterValidationFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
Do I still need to add HTML Sanitizer in my project?
I know this is pretty old Query.. but i would like to answer it.. Sanitizer is basically used to clean the input , but usually sanitizing the input is only good when it do not effect the outcome , so as Parameter validation filter provides default sanitization of only removing whitespace ,i dont think you need to use any thing else .
But still it depends on project to project , I don't usually recommend sanitization