spring boot - Sanitize string from Malicious Markdown Vectors in java

Question

What can I use to sanitize string from Malicious Markdown Vectors before storing it in database?

I am using spring boot on back-end, and I need somehow to sanitize string before it is saved in database and later used for Cross-Site Scripting attacks. This is example of Malicious Markdown:

[clickme](javascript:prompt(document.domain))

After it's saved, it's shown as link and can be clicked.

question from:https://stackoverflow.com/questions/66061452/sanitize-string-from-malicious-markdown-vectors-in-java

Answer 1

OWASP is the oldest library out there for preventing this or any other kind of malicious user inputs, for your case here is the page you need to go over.

Here is an example

var sanitizer = new HtmlSanitizer();
var html = @"<script>alert('xss')</script><div onload=""alert('xss')"""
    + @"style=""background-color: test"">Test<img src=""test.gif"""
    + @"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>";
var sanitized = sanitizer.Sanitize(html, "http://www.example.com");
Assert.That(sanitized, Is.EqualTo(@"<div style=""background-color: test"">"
    + @"Test<img style=""margin: 10px"" src=""http://www.example.com/test.gif""></div>"));

Please check web application firewall too https://owasp.org/www-community/Web_Application_Firewall