Jsoup is an XSS prevention tool. Jsoup can detect XSS script in HTML and URL also. Now I am giving example with URL. Jsoup can validate the URL with the "Isvalidate ()" method. "Isvalidate ()" Method return type is Boolean. If return type is true, that means URL has an XSS script so we need to clean the URL with the "Clean ()" method. "Clean ()" method would return clean URL as String.
Antisamy also one of the tool to prevent XSS script, it customized one so we need to configure everything. Its not better than Jsoup
Steps to use Jsoup:
1. Download jsoup jar File
2. Write the code like the following
import java.io.unsupportedencodingexception;import org.jsoup.jsoup;import Org.jsoup.safety.whitelist;public class jsoupsolution {public static void main ( String[] args) throws unsupportedencodingexception {/* * sequrity issue scenario */String input = "get /selfservice/forgotpwd.jsp?sserror=2& Returnurl=https://stg-wealthinteractive.skandiainternational.com/securityandroles/signin/signin?authn_try_ Count=06f080\ "style%3d\" Behavior%3aurl (%23default%23time2) \ "onbegin%3d\" alert (' XSS ') \ "f6bc57307de& Contexttype=external&username=string&contextvalue=%2foam&password=sercure_string&challenge_url =https%3a%2f%2fstg-wealthinteractive.skandiainternational.com%2fsecurityandroles%2fsignin%2fsignin&request _id=6990594052748823869&oam_req=&locale=en_gb&resource_url=http%253a%252f% 252fstg-wealthinteractive.skandiainternational.com%252fauth%252flevel2.jsp%253freturnurl%25253dhttp%2525253a%2525252f%2525252fstg-wealthinteractive.skandiainternational.com% 2525252fselfservice%2525252flevel3.jsp%2525253freturnurl%252525253dhttp%25252525253a%25252525252f% 25252525252fstg-wealthinteractive.skandiainternational.com%25252525252fskandia%25252525252flogout http/ 1.1 "; string unsafe = "'; Alert (String.fromCharCode (88,83,83)//'; Alert (String.fromCharCode (88,83,83)) \ "; Alert (String.fromCharCode (88,83,83))//\"; Alert (String.fromCharCode (88,83,83))//--></script>\ " > ' ><script>alert (String.fromCharCode (88,83,83)) </SCRIPT> "; string unsafe1 = " ";// string input =// "\" Behavior%3aurl (%23default%23time2) \ "onbegin%3d\" alert (' XSS ') \ ";// string input = "<script>alert (\ "xss\") </script>\ ">";// string input = "<form background=\" Javascript:alert (' XSS ') \ ' > '; String input = "<form bgcolor=\" #000000 \ ""; System.out.println ("input : " + input); Boolean check = jsoup.isvalid ( Unsafe1, whitelist.relaxed ());if (!check) {system.out.println ("its invalid string"); String safe = jsoup.clean (Unsafe1, whitelist.basic ()); System.out.println ("cleaned code: " + safe); System.out.println ("Its cleaned string by jsoup");boolean onemorecheck = Jsoup.isvalid (Safe, whitelist.basic ());if (Onemorecheck) {system.out.println ("Its safe code [after clean] ");} else {system.out.println ("Its harmfull code");}} else {system.out.println ("its valid string");}}}
Preventing XSS with Jsoup