Location of AntiSamy policy file in web project

Question

I'm trying to use AntiSamy to prevent XSS attacks on my site. I downloaded the following jars and added them to "/WEB-INF/lib"

• antisamy-1.5.3.jar

• nekohtml.jar

• xercesImpl-2.5.0.jar

along with a policy file antisamy-slashdot-1.4.4.xml in "/WEB-INF".

I tried to implement a filter through web.xml. A snippet of the servlet I'm using is

public class AntiSamyFilter implements Filter {

private static final Logger LOG = Logger.getLogger(AntiSamyFilter.class);

private final AntiSamy antiSamy;

public AntiSamyFilter() {
    try {
        URL url = this.getClass().getClassLoader().getResource("antisamy-slashdot-1.4.4.xml");
        LOG.info("After getResource");
        Policy policy = Policy.getInstance(url.getFile()); //Deployment fails
        LOG.info("After Policy");
        antiSamy = new AntiSamy(policy);
        LOG.info("After antiSamy");
    } catch (PolicyException e) {
        throw new IllegalStateException(e.getMessage(), e);
    }
}
}

The deployment fails after Policy policy = Policy.getInstance(url.getFile());. It's probably because of the path of the policy file.

Can someone please tell me where the policy file should be kept?

Answer 1

The url.getFile part fails because it couldn't find the antisamy-slashdot-1.4.4.xml file. I created a package in src/my/package and changed

URL url = this.getClass().getClassLoader().getResource("antisamy-slashdot-1.4.4.xml");

to

URL url = this.getClass().getClassLoader().getResource("/my/package/antisamy-slashdot-1.4.4.xml");

I also added batik.jar along with the other jar files. It solved my problem