1 Reply Latest reply on Jul 3, 2009 9:05 AM by Nick Belaevski

    XSS filter in RichFaces Editor

    J W Newbie


      As RichFaces editor (or any wysiwyg for that matter) allow user to input html-formated content, nice feature would be integrated, server-side anti-XSS (Cross-site Scriptiong) filter.

      XSS is one of the top webbased applications threads, so including such funtionality should considerably improve quality of a RichFaces framework.

      It could look something like this:

      <rich: editor ...>
       <rich:XSSFilter allowedTags="..." stripComments="true|false" .../>

      An example of a filter written for JAVA can be found here: http://josephoconnell.com/java/xss-html-filter/. Such filter is not dificult to write, as it is based some regular expressions.