Protecting against Cross site scripting

StackOverflow https://stackoverflow.com//questions/21005882

  •  20-12-2019
  •  | 
  •  

Question

I have a simple jsp that has 3 inputs (name, id and email) and a form submit. From doing some reading ,it looks like my input values should be encoded.How can I do this? Can anyone provide an example For eg

 <td><input id="email" name="email" value=""/></td>
 <td><input id="fullname" name="fullname" value=""/></td>
 <td><input id="userId" name="userId" value=""/></td>
 <input type ="submit" value ="Get User"  />

How should the email, fullname and uerId be encoded? Also I have seen example as follows:

  String safeOutput = ESAPI.encoder().encodeForHTML( Comment)

Should the encoding be done both to the HTML and to the java code? I would appreciate some tips,as I am confused about this. Thanks

Was it helpful?

Solution

Basically if someone puts any HTML in any of your parameters and you then display those on your site, their HTML will be parsed by the browser. They could use this to screw up your formatting, i.e. leave a B tag unclosed, or they could put in a script tag pointing to a script on another site.

The two most basic ways to protect against it are:

  1. Check for < or > in any user input data, and reject the data if it contains either of them.
  2. Nullify any HTML entered by the user by replacing all < and > with &lt; and &gt; or [ and ].

Those will work if you want to disallow all HTML. But if you want to allow the user to input some HTML, like safe tags (B, I, EM, STRONG), then you need a library that removes all HTML tags not on a whitelist.

OTHER TIPS

You should ideally be using some security frame works like HDIV (HTTP Data Integrity Validator). We use it for a large eCommerce application and just got our security review successful.

Some great features

  • Java based
  • Supports frame-works like - struts/spring-mvc/jsf/servlets etc
  • In-built filters/interceptors for handling injections/XSS/CSRF attacks etc

Extract from HDIV site

HDIV is an open-source framework that eliminates or mitigates web security risks by design for some of the most used JVM web frameworks

It is practically impossible to prevent people entering fragments of HTML in general text fields, because you might want to allow them to enter "special" characters, such as & < and >. So instead of trying to prevent or remove HTML, it might be better to ensure that when it is displayed, it is done so in a safe manner. The JSP c:out action does that. Instead of writing

 <p>You said: ${userMessage}</p>

write

 <p>You said: <c:out value="${userMessage}"/></p>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top