How to avoid XSS in this c:out?

Question

Normally i scan my code changes using veracode to detect security vulnerabilities. Now there is a string in DB which i am collecting in a string called custFunctionality and previously i was displaying this in jsp as :

out.println(<%= custFunctionality %>);

Well veracode scanned it and let me know that it constitutes a security defect.

So i used c: out here as :

<c:out escapexml='false' value='${custFunctionality }'/>

Now the problem here is that the string consists of html related mark up and special characters which i need to show in the page and if i don't give escapexml='false' those characters and mark ups don't materialize. However, since there is escapexml='false' string here in the code, this constitutes a security defect for veracode as i found it out after re scanning the file.

Can anyone suggest me an alternate solution out of this quagmire ?

Answer 1

What you're asking for is two different things. Taking special characters and displaying them visually to the user is fairly straightforward. Inserting them into the page as markup safely is more complicated.

Visual display:

What you want to do here is to take the special characters that the browser wants to interpret at as markup and escape (or encode) it in a way that indicates to the browser that it should just be displayed. Alex recommended the StringEscapeUtils which should help you do that. (Keep in mind that each context has it's own rules for escaping so what works for html won't necessarily work for css and javascript.)

Markup insertion:

In this case you need to do some validation of the input to ensure that you aren't inserting content that affects how your page behaves. Inserting some ... markup is probably okay, inserting javascript is risky. The challenge is catching all of the ways people might try to evade your filter. If your site is interesting enough, people will try to take advantage of this feature.