Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
{{Jooby}} provides a few XSS escapers and a simple and flexible way to provide custom and/or more featured XSS escapers.
Default XSS escapers are urlFragment, formParam, pathSegment and html, all provided by Guava.
More advanced and feature rich escapers like js, css, sql are provided via modules.
There are a couple of ways to use XSS escape functions:
{
post("/", req -> {
String safeParam = req.param("input", "html").value();
String safeHeader = req.header("input", "html").value();
});
}Here input is the param/header that you want to escape with the html escaper.
{
post("/", req -> {
String safeInput = req.param("input", "urlFragment", "html");
});
}{
post("/", req -> {
MyForm form = req.params("input", "html");
});
}Template engines usually provide built in methods to escape HTML. However, {{jooby}} will also integrate its XSS escapers with the template engine of your choice:
{{xss input "js" "html"}}
{{xss (input, "js", "html")}}
${xss (input, "js", "html")}
jade:
p= xss.apply(input, "js", "html")
- unbescape: XSS escapers via unbescape
- csl: XSS escapers via coverity-security-library