Documentation
¶
Overview ¶
XssMw provides an "auto remove XSS" from all user submitted input.
It's applied on POST, PUT, and GET Requests only.
We currently support three Request types:
* JSON requests - Content-Type application/json
* Form Encoded - Content-Type application/x-www-form-urlencoded
* Multipart Form Data - Content-Type multipart/form-data
XSS filtering is performed by HTML sanitizer https://github.com/microcosm-cc/bluemonday
The two packaged policies are available, UGCPolicy or StrictPolicy ¶
The default is to the strictest policy - StrictPolicy()
use of UGCPolicy is untested at this time
Index ¶
- type XssMw
- func (mw *XssMw) ConstructJson(xmj XssMwJson, buff bytes.Buffer) bytes.Buffer
- func (mw *XssMw) GetBlueMondayPolicy() *bluemonday.Policy
- func (mw *XssMw) HandleGETRequest(c *gin.Context) error
- func (mw *XssMw) HandleJson(c *gin.Context) error
- func (mw *XssMw) HandleMultiPartFormData(c *gin.Context, ctHdr string) error
- func (mw *XssMw) HandleXFormEncoded(c *gin.Context) error
- func (mw *XssMw) RemoveXss() gin.HandlerFunc
- func (mw *XssMw) SetRequestBodyJson(c *gin.Context, buff bytes.Buffer) error
- func (mw *XssMw) XssRemove(c *gin.Context) error
- type XssMwJson
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type XssMw ¶
type XssMw struct {
// List of fields to not filter. i.e. password, created_on, created_at, etc
// password is set to skip by the system i.e. FieldsToSkip = []string{"password", "cre_date"}
FieldsToSkip []string
// Bluemonday comes with two default policies
// Two options StrictPolicy // the default
// UGCPolicy
// or you can specify you own policy
// define it somewhere in your package so that you can call it here
// see https://github.com/microcosm-cc/bluemonday/blob/master/policies.go
// This must contain one of three possible settings:
// StrictPolicy // the default
// UGCPolicy
// New // Specify your own policy - not yet supported
BmPolicy string
}
Config struct for passing options
func (*XssMw) ConstructJson ¶
De-constructs the http request body removes undesirable content keeps the good content to construct returns the cleaned http request Map to Bytes (struct to json string...)
func (*XssMw) GetBlueMondayPolicy ¶
func (mw *XssMw) GetBlueMondayPolicy() *bluemonday.Policy
Get which Bluemonday policy
func (*XssMw) HandleGETRequest ¶
HandleGETRequest handles get request
func (*XssMw) HandleJson ¶
Handles request Content-Type = application/json
The four types of data handled.
* 1st type filter - basic key:value - most common
map[string]interface {}{"updated_by":"534", "updated_at":"1480831130", "id":"1", "name":"foo"}
* 2nd type an id with associated ids list
map[string]interface {}{"project_id":"1", "talent_ids":[]interface {}{"1", "4", "8"}}
- NOTE changes from ["1", "4", "8"] to [1,4,8]
* 3rd type an "array of records"
[]interface {}{
map[string]interface {}{"name":"asd", "url":"/data/1/as",
"user_id":"537", "username":"Test User ©", "created_by":"537", "id":"286",
"fqdn":"audio class", "project_id":"1", "path":"/tmp/store/1/as",
"updated_at":"1480791630", "status":"NEW",
"updated_by":"537", "created_at":"1480450694"},
map[string]interface {}{"name":"asd2", "url":"/data/2/as", etc... },
map[string]interface {}{"name":"asd3", "url":"/data/3/as", etc... },
...
}
* 4th type "complex array/nested records"
map[string]interface {}{
"id":"1",
"users":[]interface {}{
map[string]interface {}{"id":"1", "flt":"1.345", "user":"TestUser1", "email":"testUser1@example.com", "password":"!@$%^ASDF<html>1", "comment":"<img src=x onerror=alert(0)>", "cre_at":"1481017167"},
map[string]interface {}{"cre_at":"1481017167", "id":"2", "flt":"2.345", "user":"TestUser2", "email":"testUser2@example.com", "password":"!@$%^ASDF<html>2", "comment":"<img src=x onerror=alert(0)>"}
}
}
func (*XssMw) HandleMultiPartFormData ¶
Handles Content-Type "multipart/form-data"
skips sanitizing if file upload
Content-Disposition: form-data; name="" filename=""
tries to determine Content-type for form data file upload, defaults to application/octet-stream if unknown
handles basic form field POST request for example:
--3af5c5b7adcb2142f404a8e1ce280c47c58e563e3d4c1e172490737c9909 Content-Disposition: form-data; name="flt" 2.345 --3af5c5b7adcb2142f404a8e1ce280c47c58e563e3d4c1e172490737c9909 Content-Disposition: form-data; name="user" TestUser --3af5c5b7adcb2142f404a8e1ce280c47c58e563e3d4c1e172490737c9909 Content-Disposition: form-data; name="email" testUser@example.com --3af5c5b7adcb2142f404a8e1ce280c47c58e563e3d4c1e172490737c9909 281 } Content-Disposition: form-data; name="password" !@$%^ASDF --3af5c5b7adcb2142f404a8e1ce280c47c58e563e3d4c1e172490737c9909 Content-Disposition: form-data; name="comment" >'>\"> --3af5c5b7adcb2142f404a8e1ce280c47c58e563e3d4c1e172490737c9909 Content-Disposition: form-data; name="cre_at" 1481017167 --3af5c5b7adcb2142f404a8e1ce280c47c58e563e3d4c1e172490737c9909 Content-Disposition: form-data; name="id" 2 --3af5c5b7adcb2142f404a8e1ce280c47c58e563e3d4c1e172490737c9909--
NOTE: form-data name 'password' is skipped (not sanitized)
func (*XssMw) HandleXFormEncoded ¶
Handles Content-Type "application/x-www-form-urlencoded"
Has been tested with basic param=value form fields only:
comment=<img src=x onerror=alert(0)> &cre_at=1481017167 &email=testUser@example.com &flt=2.345 &id=2 &password=TestPass &user=TestUser
has not been tested on file/data uploads
func (*XssMw) RemoveXss ¶
func (mw *XssMw) RemoveXss() gin.HandlerFunc
XssMw implements the Gin Middleware interface.
func (*XssMw) SetRequestBodyJson ¶
encode processed body back to json and re-set http request body
Source Files