Use active Content filtering for Project Zero and WebSphere smash applications

Introduction to ACF

As part of getting started with ACF, you must first understand what Project Zero is. The following is an excerpt from the Project Zero Web site:

"Project Zero is an incubator project within IBM® that focuses on agile development of the next generation of dynamic Web applications." Project Zero introduces a simple environment that supports the creation, assembly, and execution of applications based on popular WEB technologies. The Project Zero environment includes a script runtime for Groovy and PHP, and an application programming interface optimized for REST-style services, integration mashups, and the generation of rich WEB interfaces.

Project Zero is primarily for the generation of dynamic Web applications (usually categorized as Web 2.0), and this article focuses on interactive Web applications that may contain user-supplied content such as mashups, wikis, and blogs. To support these applications, Project Zero provides a ACF library that application developers can include in a Zero application. ACF allows developers to avoid issues such as cross-site scripting that often occurs in such applications.

About the example

Author's message: When this article is first written, the application developer must use the ACF either by declaring the method (defining explicit rules in the application's Zero.config) or by programming methods (using the provided APIs). According to the Project Zero community and the feedback from this reader, the development team provides some default-level ACF protection (requires adding ZERO.ACF as dependencies) for the following scenarios:

Request parameters: Deletes active content (such as JavaScript, applets, and ActiveX) from all inbound request parameters sent to the URI. These parameters are considered to be HTML fragments.

JSON Content Request: Deletes active content from all String values sent to the URI's inbound JSON object. In this case, you have specified the type of all content.

JSON Content Response: Deletes the active content from all String values of the outbound JSON object sent from the URI. In this case, all content types other than "text/html" have been specified.

To cancel the default ACF enabled, the following configuration options include the Zero.config "/config/acf/enablebydefault=false" for the sample application. Because in some cases the default enablement may not meet the requirements of the application, this article focuses on using the ACF through declarative and programmatic methods. When appropriate, this article explains the various sections that are enabled by using the default flags.

The example provided in this article is designed to demonstrate the ACF fully with the help of simple to difficult use cases. These examples are all built on top of the previous examples. The following is a summary of these examples, each of which is described in detail in subsequent chapters:

Example 1 is a very basic, Ajax-enabled page that allows users to comment on articles received from outside. This example shows what happens when a user comments or an article contains active content, such as JavaScript.

Example 2 is built on Example 1 and includes support for the ACF library. This example shows how the ACF filtering function works when the article contains active content (such as JavaScript).

Example 3 builds on Example 2, but supports the ability to filter request parameters using ACF. This example shows how the ACF filtering function works when the user comments include active content, such as javascript-.