XSS – Sanatize Input

XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content.

There are many libraries online which can be used to prevent XSS but after trying most of the libraries I see AntiSamy library solves most of the scenarios.

The OWASP AntiSamy project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application’s rules. Another way of saying that could be: It’s an API that helps you make sure that clients don’t supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server. The term “malicious code” in regards to web applications usually mean “JavaScript.” Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine.

Customized Anti Sammy XML can be found here


import org.owasp.validator.html.*;

import java.util.regex.Pattern;
public class WebSecurityAPI {

private static final String POLICY_FILE_LOCATION = "com/application/security/policy/antisamy-customized-1.4.3.xml";
* returns sanitized HTML*/
public static synchronized String sanitizeHTML(String input) throws PolicyException, ScanException {
ClassLoader CLDR = WebSecurityAPI.class.getClassLoader();
Policy policy = Policy.getInstance(CLDR.getResourceAsStream (POLICY_FILE_LOCATION));
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(input, policy, AntiSamy.SAX);
return cr.getCleanHTML();


import com.application.security.util.WebSecurityAPI;

* @author Shiva Arvapalli
public class SanatizeTest {

public static void main(String[] args)
try {
String dirtyInput = "\" Pour ac'c�der au journal de test<script>alert(1)</script>onMouseOver=\"alert(1);In anticipation of your t\"entative\" June 2016 Call to the Bar of Ontario, we ask that you select a call location by <strong>April</strong> 4 of this year.sd"; // Some fake input
String clearHTML=WebSecurityAPI.sanitizeHTML(dirtyInput);
System.out.println(clearHTML); // Do something with your clean output!
} catch (Exception e) {
// TODO Auto-generated catch block