I am working on a project that takes html from the user and persist to the DB. The current implementation is vulnerable to XSS attack.
In order to prevent this attack, I am trying to implement the OWASP Antisamy as seen here but I am getting fileNotFoundError for the policy that I have downloaded and put in the resources directory of the project.
Code
//sanitize welcomeMessage
try {
Policy policy = Policy.getInstance(new File("antisamy-tinymce.xml"));
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(welcomeMessage, policy);
preferences.setWelcomeMessage(cr.getCleanHTML());
} catch (PolicyException | ScanException e) {
FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_WARN, "Invalid Welcome Message", e.getMessage()));
return;
}
Project Structure
.
└── src/
└── main/
└── resources/
├── antisamy-tinymce.xml
Any pointer to what I might be doing wrongly?
I have tried using the absolute path of the antisamy-tinymce.xml file but it doesn't work when deployed to the application server.