I have a use-case where I have to prevent XSS Injection at server-side. So I have made a custom annotation which can be applied on String variable, and inside the validator logic I have used HtmlUtils.htmlEscape(input) && Jsoup.clean(unsafe, Safelist.basic()).
public class Dto{
@customXssPrevention
String abc;
}
Let's assume that the isValid method in the validator class of that annotation has been override.
@Override
public boolean isValid(String value, ConstraintValidatorContext cxt){
//custom logic using HtmlUtils.htmlEscape(input) && Jsoup.clean(unsafe, Safelist.basic())
}
Now, let's say I want to allow certain characters like single-inverted comma('), or certain tags , or such inputs. Is there a way where I can exclude the checks being made on such input in HtmlUtils.htmlEscape?
Basically, What I'm thinking is to make an annotation which would be something like this:
@customXssPrevention(whitelist = {"<>","'"})
I think there should be a method that HtmlUtils should expose which would not check on few characters given by the user, but I can't find any such method. Would be happy to contribute it needed.
As of now I'm modifying the user-input and replacing such whitelist occurrences by a random character and then passing the input to HtmlUtils.htmlEscape(). But definitely it not a good approach to change the input, instead I should be able to change the behavior of the method or HtmlUtils should provide such method.?
