Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Java 5 HTML escaping To Prevent XSS

Tags:

java

jsp

xss

I'm looking into some XSS prevention in my Java application.

I currently have custom built routines that will escape any HTML stored in the database for safe display in my jsps. However I would rather use a built in/standard method to do this if possible.

I am not currently encoding data that gets sent to the database but would like to start doing that as well.

Are there any built in methods that can help me to achieve this?

like image 939
AJM Avatar asked Feb 25 '10 11:02

AJM


People also ask

Does escaping HTML prevent XSS?

Escaping is the primary means to avoid cross-site scripting attacks. When escaping, you are effectively telling the web browser that the data you are sending should be treated as data and should not be interpreted in any other way.

Is escaping enough for XSS?

The short answer is no, it's not enough. The long answer is it depends on the context of where the user data goes. In an attribute it definitely will not be safe.

What type of output escaping should you use to protect against cross site scripting?

From version 92 onward (July 20th, 2021), cross-origin iframes are prevented from calling alert() . As these are used to construct some of the more advanced XSS attacks, you'll sometimes need to use an alternative PoC payload. In this scenario, we recommend the print() function.


1 Answers

You normally escape XSS during display, not during store. In JSP you can use the JSTL (just drop jstl-1.2.jar in /WEB-INF/lib) <c:out> tag or fn:escapeXml function for this. E.g.

<input name="foo" value="<c:out value="${param.foo}" />">

or

<input name="foo" value="${fn:escapeXml(param.foo)}">

That's it. If you do it during processing the input and/or storing in DB as well, then it's all spread over the business code and/or in the database. You should not do that, it's only maintenance trouble and you will risk double-escapes or more when you do it at different places (e.g. & would become &amp;amp; instead of &amp; so that the enduser would literally see &amp; instead of & in view. The code and DB are not sensitive for XSS. Only the view is. You should then escape it only right there.

Update: you've posted 4 topics about the same subject:

  • Cross Site Scripting - Hidden Form Fields
  • HttpServletRequest - Quick way to encode url and hidden field paramaters
  • HttpServletRequest - SetParameter
  • This one.

I will only warn you: you do not need to escape it in servlet/filter/javacode/database/whatever. You're only unnecessarily overcomplicating things. Just escape it during display. That's all.

like image 137
BalusC Avatar answered Sep 20 '22 06:09

BalusC