4

I've inherited a large code base of 1000+ JSP-files that is full of XSS-vulnerabilities.

The code is full of 

<%= request.getParameter("theparam")%>

and

out.println("some stuff before"+request.getParameter("theparam")+"and some other stuff");

and

String myVar = request.getParameter("theparam");
out.println(myVar);

I want to secure all files without having to go through all of them individually.

What is my best approach ?

  • Do a 'replace all' on "request.getParameter("xx")" to "StringEscapeUtils.escapeHtml(request.getParameter("xx")) on all source files ?

  • Can i somehow override the function 'request.getParameter' so it defaults to stringescapeutils.escapehtml(request.getParameter("")); ?

thnx

Filburt
  • 17,626
  • 12
  • 64
  • 115
user1194465
  • 87
  • 1
  • 1
  • 7

2 Answers2

3

I am not saying this is the best approach, but:

Can i somehow override the function 'request.getParameter' so it defaults to stringescapeutils.escapehtml(request.getParameter("")); ?

is easily achievable using servlet filter and by wrapping HTTP servlet request. This approach is described in How to add validation logic to HttpServletRequest.

However the most comprehensive approach is to escape when displaying, preferably only in JSP. Too bad you also generate HTML in servlets. See: Java 5 HTML escaping To Prevent XSS.

Community
  • 1
  • 1
Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
  • Anyone a regexp gury ? I want to replace all occurrences of request.getParameter("thischangesallthetime") to stringescapeutils.escapehtml(request.getParameter("")); Can i do it with a regular expression replace ? – user1194465 Jul 16 '12 at 08:22
  • @user1194465: absolutely you can, but please post another question (maybe it's even more suited on superuser?) and follow-up here. Also I am not sure whether this is a good approach - you should escape parameters when showing, not when reading. – Tomasz Nurkiewicz Jul 16 '12 at 08:27
  • ok, i've done this http://stackoverflow.com/questions/11500695/notepad-regulare-expression-to-replace] – user1194465 Jul 16 '12 at 08:36
0

You can do something like below

<%@ page import="org.apache.commons.lang.StringEscapeUtils" %>
String str=request.getParameter("urlParam");
String safeOuput = StringEscapeUtils.escapeXml(str);

Hope this will help you to resolve the problem...

Anushka Senarathna
  • 159
  • 1
  • 1
  • 5