When displaying user data in our HTML Pages all tags and quotes should be striped of potentially harmful code and scripts in order to avoid cross site scripting (XSS) attacks.
The following example shows how the TextTool is mapped in the toolbox.xml file:
<tool>
<key>xsstool</key>
<scope>application</scope>
<class>com.dotcms.rendering.velocity.viewtools.XssWebAPI</class>
</tool>
dotCMS provides the $xsstool viewtool to assist with this, enabling you to easily and safely encode user data for use as HTML tag attributes or content.
Methods
The xsstool viewtool has the following methods:
Method | Description |
---|---|
$xsstool.strip(String) | Removes scripts and other malicious code from the string. Searches for a configurable pattern defined in system.properties as com.liferay.util.Xss.regexp.pattern . |
$xsstool.escapeHTMLAttrib(String) | Escapes any character and possible scripts in the string to make it safe for use as an HTML attribute. The method is hardened with the java implementation of ESAPI. |
$xsstool.escape(String) | This behaves exactly the same as $xsstool.escapeHTMLAttribute. This is just a shorter version provided for convenience. |
$xsstool.unEscape(String) | Restores a string that was previously escaped (using escapeHTMLAttrib) back to its original value. |
$xsstool.hasXss(String) | tells if XSS code is detected in the string. It uses the same pattern as in strip(String). |
Example
Consider the following HTML tag:
<input type="text" value="$myVal"/>
If the $myVal variable contains a value that was input by a user, then a user could enter malicious values that close the attribute and insert arbitrary scripts. To prevent this, xsstool can be used to escape the variable as follows:
<input type="text" value="$xsstool.escapeHTMLAttrib($myVal)"/>