Well, earlier this week I published my first Grails plugin. I’m hoping that people will find it useful to add a general security plugin to parse out, and prevent XSS attacks on their website. It’s a long way from being done, but I think it’s a good start.
It uses OWASP’s ESAPI to strip out any unwanted script, iframe, and img tags that come in on the request. It also has the added benefit of doing this in a Java filter (in case you access the request via the HttpRequest) and the Grails “params” attribute.
Next steps are to write tests for each of the potential hacks on http://ha.ckers.org/xss.html to make sure they all pass. Plus, in my opinion, this is just a general replace of all values. There are potentially times when you might want to submit something that falls into one of these categories, and you feel that it’s safe to not have to filter it. So, I’d like to allow users to be able to annotate methods to allow/disallow the filter to run give a certain action.
Here’s a link to the source code:
If you would like to install it, just type:
grails install-plugin xss-sanitizer
If you are interested in contributing, please let me know. I’d love to have some collaboration.