WaveMaker Docs

WaveMaker Docs

  • Get started
  • Widgets
  • Mobile
  • How-to
  • Enterprise
  • Releases
  • Blog
  • Sign-in

›App Security

Getting started

  • Introduction
  • Walkthrough

Pages

  • Pages Overview
  • Creating a Page
  • Layout and Styles

    • Page Layout
    • Templates
    • Themes
    • Accessibility

    Page Configure

    • Page Artefacts
    • Page Cache
    • Partial Page
    • Page Parameters
    • Examples

    Page Actions

    • Navigation
    • Events

    Custom Development

    • Theme Editor
    • Manual Theme
    • Create Template

SSPA

  • Micro Frontend App

Databases

  • Database Services Overview
  • Database Tools
  • Database Designing

    • Working with Databases
    • Data Modelling
    • DataBase Schema Modes
    • Working with DB Schema
    • Database Views
    • Temporal Support

    Accessing Database

    • Accessing Database

    Queries and Procedures

    • Working with Queries
    • Working with Stored Procedures
    • Version Queries & Procedures
    • Blob Queries and Procedures
    • Queries & Procedures - Java Services

    Database Variables & API

    • Database CRUD
    • CRUD Event Listeners
    • Database APIs
    • Database Service APIs

REST & SOAP

  • Web Services Overview
  • Restful

    • REST Services
    • Secure Server-side Properties
    • REST Request Timeouts
    • REST Services using OAuth 2.0

    SOAP

    • Working with SOAP Services
    • Imported SOAP APIs

    Websocket

    • Working with WebSockets

    APIs

    • API Designer
    • Mocking APIs
    • Mocking REST API
    • Swagger Import

    Variables

    • CRUD Variable
    • Service Variable
    • WebSocket Variable

Java Services

  • Java Service
  • Java Services

    • Java Integration Services
    • DB Service Integration
    • API Composition
    • Variables for Invocation
    • Generated REST APIs (API Designer)

    Java Services Variables & API

    • Variable for Java Service
    • Java Service APIs

    Source Files

    • Resources and Third-party Libraries
    • Using 3rd party JavaScript files
    • Using 3rd party jar files

Variables & Actions

    Variables

    • Variables Overview
    • Model Variable
    • Device Variables

    Binding

    • Variable Binding
    • Custom Formatter

    Actions

    • Actions
    • Navigation Action
    • Login Action
    • Logout Action
    • Timer Action
    • Notification Action

    Events

    • Events
    • JavaScript Access

Security

    App Security

    • Overview
    • Authentication
    • Authorization
    • Access Levels & Permissions
    • Login Configuration
    • Session Persistence
    • SSL Encryption
    • XSS antisamy policy configuration
    • OWASP
    • XSS Prevention
    • Central Authentication System
    • Token Based Authentication
    • SAML Integration
    • Secure Connection for Deployed Apps
    • Concurrent Sessions
    • HostHeader Injection

    Security Variable and API

    • Security Variables
    • Remember Me
    • Variable for Security Service
    • Security Service APIs

Developer options

  • Test and Run (Preview) Apps
  • Chrome Extension: Devtool
  • Debugging
  • Inspection Framework
  • Build Options
  • WaveMaker Mobile Apps Automation
  • Developer Integration

    • Project User Management
    • Developer Collaboration
    • Extending the Application using IDEs
    • Import, Export & Update Apps
    • Project Shells

    Add-ons

    • Localization
    • Artifacts Repository

Deployment

  • Overview
  • Deployment Profile
  • One-click Deployment
  • WaveMaker CI/CD Pipeline

    • Overview
    • Configuration Profiles
    • Configuration Management
    • Pipelines and Phases

    Pipeline Configuration

    • Default Pipelines in WMO
    • Configure Pipeline in WME

    Deploy to Cloud Providers

    • AWS
    • Azure
    • Google Cloud
    • DigitalOcean

    Pipeline Configuration cont.

    • Phase configurations
    • Webhooks Integration
    • Tests Integration

    Manage Deployed Apps

    • Manage Deployed Apps

    Integrate with your CI/CD Providers

    • Push Code to External repo
    • Custom VCS Integration
    • Export WaveMaker Application
    • Building Project with Maven
    • Build with Docker
    • Jenkins Integration
    • Deploy using Docker Compose
    • Deployment to Heroku

    WaveMaker apps Interation with CDN

    • App Integration with AWS CDN
    • App Integration with Azure CDN

    Deployment to external web servers

    • Application Server Overview
    • Deploy to Tomcat
    • WebSphere
    • JBoss - WildFly
    • WebLogic Server

Connectors

  • Introduction
  • Architecture
  • Import Connectors
  • List of Connectors
  • Build a New Connector

Teams

  • Overview
  • Team Setup
  • Dashboard
  • Manage Users
  • Manage Projects
  • Manage Prefabs
  • Project Branches
  • Manage Roles
  • Code Repository
  • Import VCS Project
  • Team Profile
  • Manage Subscription
  • FAQs
Edit

XSS antisamy policy configuration


AntiSamy is an HTML, CSS and JavaScript filter for Java that sanitizes user input based on a policy file. AntiSamy is not an HTML, CSS and JavaScript validator. It is merely a way to make sure HTML, CSS and JavaScript input strictly follows rules defined by a policy file.

AntiSamy is a sanitization framework; it is up to the user how it does its sanitization. Using AntiSamy does not guarantee to filter of all malicious code. AntiSamy simply does what is described by the policy file.

Configuring Your AntiSamy Policy

If the default policy file wm-xss-policies.xml doesn’t meet your needs, you can tweak your policy file to your needs and upload. Each section of the policy file is broken down in the next few sections to give the developer background on tweaking the output.

Policy File Directives

[<directives></directives>]

The following table shows the directives, their default values, and their impact on the AntiSamy filtering process.

DirectiveTypeDefaultDescription
useXHTMLbooleanfalseWhen this feature is on, AntiSamy will output the sanitized data in XHTML format as opposed to just regular HTML
omitXMLDeclarationbooleantrueWhen "omitXMLDeclaration" is turned on, AntiSamy will automatically prepend the XML header to output. Enabling this feature will tell AntiSamy not to do that.
omitDoctypeDeclarationbooleantrueWhen this feature is enabled, AntiSamy will automatically prepend the HTML doctype declaration. By default, AntiSamy will not prepend this header.
formatOutputbooleanfalseWhen enabled, AntiSamy will automatically format the output according to some basic rules and indentation. Kind of like "pretty print."
maxInputSizeint100000This directive specifies the maximum size (in bytes) of user input before it's validated.
embedStyleSheetsbooleantrueWhen the developer chooses to allow CSS, this directive will specify whether or not remote style sheets found referenced in the user's input will be pulled down and embedded into the current user input.
maxStyleSheetImportsint1This feature allows developers to specify how many remote style sheets can be downloaded from any one input.
connectionTimeoutint1000When "embedStyleSheets" is enabled, this timeout value (in milliseconds) will be used when fetching the offsite resource in question. This should be used to prevent validation threads from blocking when connecting to 3rd party systems that may purposefully act really, really slowly.
preserveCommentsbooleanfalseWhen enabled, AntiSamy will keep HTML comments supplied in the input.
nofollowAnchorsbooleanfalseWhen enabled, AntiSamy will append rel="nofollow" attributes to all anchor ( <a> ) tags supplied in the input. This is useful for telling search engines not to associate your site with sites that are under the control of your users
validateParamAsEmbedbooleanfalseWhen enabled, AntiSamy will treat attributes of <param> tags in the policy the same as any tags nested inside the <embed>. This allows users to, according to policy, pass in data in either of those two methods with equal security. This is needed for sites that allow users to supply videos, etc.
preserveSpacebooleanfalseWhen enabled, this feature is intended to preserve spaces as specified in the input without normalization.
onUnknownTagStringremoveWhen this directive is set to "encode," it will encode the tag using HTML entities, instead of removing the tag, which is the default behavior.

Common Regular Expressions

[<common-regexps> </common-regexps>]

You can declare regular expressions here that can be used in the rest of the Policy File.

Examples

<regexp name="htmlId" value="[a-zA-Z0-9:-_.]+"/>

This regular expression is used to determine whether the text in an id attribute is valid or not.

0-9a-fA-F]{6}|[0-9a-fA-F]{3}))"/>

We can define any number of regular expressions and each regex has its unique name to refer to other sections for validating over regex.

The regexes defined here can be used to.

Common Attributes

[<common-attributes> </common-attributes>]

Here you can declare attributes here that are common to many different tags. Antisamy will match the attribute that encountered on any tag with regexes / literal-list defined for that attribute in this section. If doesn’t match then Antisamy will apply the action defined for that attribute with the onInvalid attribute.

Below the schema structure.

onInvalid="">

Attribute

  • Name - The name of the attribute (required).
  • Description - Description of the attribute (optional ).
  • onInvalid - Defines the action to be taken if the value of attribute fails matching (optional, Default : removeAttribute ) and possible actions are [ removeAttribute, encodeTag, filterTag, removeTag ].
    • removeAttribute - Remove the attribute only
    • encodeTag - Encode the tag in which the attribute constitute.
    • filterTag - Remove the tag and children but keep the contents.
    • removeTag - Remove the tag along with the content.

Regexp-list

Value of the attribute should match all the regexp defined here.

  • Regexp
    • Name - The name of the regex that already defined in Common Regular Expressions.
    • Value - Value of regex instead of defining int Common Regular Expressions.

Literal-list

The value of the attribute should be one of the literal constants defined here.

  • Literal
    • Value - Defines the literal constant value of the attribute.

Example-1

<attribute name="id" description="The 'id' of any HTML attribute should not contain anything besides letters and numbers">
   <regexp-list>
      <regexp name="htmlId"/>
   </regexp-list>
</attribute>

And sample html text as follows

<body><p id='$$test'> Test Me </p></body>

As id attribute contains $ it doesn’t match the regex htmlId so it will result as follows for different actions.

removeAttribute

<body><p> Test Me </p></body> 

encodeTag

<body><p id="test"> Test Me </p></body> 

filterTag

<body> Test Me </body> 

removeTag

<body> </body>

Example-2

<attribute name="shape" description="The 'shape' attribute defines the shape of the selectable area"  onInvalid="encodeTag">
   <literal-list>
      <literal value="default"/>
      <literal value="rect"/>
      <literal value="circle"/>
      <literal value="poly"/>
   </literal-list>
</attribute>

Here the media attribute should match the regular expression and it should be in specified literal as well.

note

In order to apply these validations on an attribute of the given tag, the attribute should be declared in section OR in under section otherwise that attribute will be removed without applying the attribute validation that defined in common-attributes.

Global Tag Attributes

[<global-tag-attributes> </global-tag-attributes>]

You can declare attributes here that are global to all different tags.

Example:

<attribute name="id"/>

The id attribute is global to many different tags.

Tags to Encode

[<tags-to-encode> </tags-to-encode>]

You can declare tags here that will not be removed, filtered, validated or truncated, but encoded using HTML entities.

Example:

   <tag>g</tag>

The g tag doesn’t actually do anything, but it isn’t malicious either so we can encode it, rather than remove it.

Tag Rules

[<tag-rules> </tag-rules>]

You can define parsing rules here that will be used for each tag individually. The following section shows what happens to tags according to what actions AntiSamy has decided to perform on it. This will help understand how to build your own tag-rules rules.

  • remove - Will remove entire tag when it encountered.
  • validate - Validate the tag attributes based on defined rules.
  • filter - Filter out the tag and children and preserve the content.
  • truncate - Remove the content and children but keep the tag.

Default

Behavior when the tag is not listed in <tag-rules>

Input:

<anewtag id="newtag" anewattrib="attrib">Text goes **here**.

Output:

<div>Text goes <b>here</b>.</div>

Remove

Behavior when the tag-rule action is set to “remove” for given tag. Tag is deleted with all of its child text.

Input:

<anewtag id="newtag" anewattrib="attrib">Text goes **here**.

Output:

<div></div>

Filter

Behavior when the tag-rule action is set to “filter” for given tag. Delete tag, but keep its child text.

Input:

<anewtag id="newtag" anewattrib="attrib">Text goes **here**.

Output:

<div>Text goes <b>here</b>.</div>

Validate

Behavior when the tag-rule action is set to “validate” for given tag. Verify that its attributes and children elements follow rules defined in policy file.

Input:

<anewtag id="newtag" anewattrib="attrib">Text goes **here**.

Output:

<div><anewtag id="newtag">Text goes <b>here</b>.</anewtag></div>

Truncate

Behavior when the tag rule action is set to “truncate” for given tag. Keep the element, but remove all attributes.

Input:

<div><anewtag id="newtag" anewattrib="attrib">Text goes <b>here</b>.</anewtag></div>

Output:

<div><anewtag >Text goes <b>here</b>.</anewtag></div>

Example:

<tag name="html" action="validate"/> 

The html tag is included in the clean output after it has been validated that it has been properly used.

CSS Rules

[<css-rules> </css-rules>]

You can define parsing rules here that will be used for each CSS property individually. Only CSS defined in this section is allowed.

Example:

<property name="width" default="auto" description="">
     <category-list>
        <category value="visual"/>
     </category-list>
     <literal-list>
        <literal value="auto"/>
        <literal value="inherit"/>
     </literal-list>
     <regexp-list>
        <regexp name="length"/>
        <regexp name="percentage"/>
     </regexp-list>
</property>

The CSS width property is allowed only when it matches these rules when used. The value of the width element must be a length, percentage or one of the two literal values “auto” or “inherit”.

Last updated on 11/25/2019 by Swetha Kundaram
← SSL EncryptionOWASP →
  • Configuring Your AntiSamy Policy
  • Policy File Directives
  • Common Regular Expressions
    • Examples
  • Common Attributes
    • Attribute
    • Regexp-list
    • Literal-list
    • Example-1
    • Example-2
  • Global Tag Attributes
  • Tags to Encode
  • Tag Rules
    • Default
    • Remove
    • Filter
    • Validate
    • Truncate
  • CSS Rules
WaveMaker
  • PRICING
  • PARTNERS
  • CUSTOMERS
  • ABOUT US
  • CONTACT US
Terms of Use | Copyright © 2013-2023 WaveMaker, Inc. All rights reserved.