How to avoid apps from XSS attacks?

Question

How to safe guard our web applications from XSS attacks? One app is vulnearable to attack, if it does not do any conversion of a special charecters.

Answer 1

You should HTML escape any input before outputting it back to the user. Some references:

• OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet
• Consider using StringEscapeUtils.escapeHtml() from Apache Commons Lang
• Or use HtmlUtils.htmlEscape() from Spring
• XSS attack prevention
• XSS prevention in JSP/Servlet web application

Answer 2

HTML escaping inputs works very well. But in some cases business rules might require you NOT to escape the HTML. Using REGEX is not fit for the task and it is too hard to come up with a good solution using it.

The best solution I found was to use: http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer

It builds a DOM tree with the provided input and filters any element not previosly allowed by a Whitelist. The API also has other functions for cleaning up html.