7

I'm trying to secure my Spring MVC web app against cross-site scripting (XSS) attacks.

At first I thought I could simply set defaultHtmlEscape in my web.xml and be done. But I found that had no effect. As explained here -- Spring or App-Server escape html isn't working JAVA MVC, defaultHtmlEscape has no effect on INPUTS. It only sanitizes OUTPUTS within c:out tags.

So then I figured I'd write a filter to intercept requests, examine the parameters, and sanitize them as needed. But while looking into how to write the filter, I came across this -- XSS Filter to enctype="multipart/form-data" forms. It includes comments suggesting that filtering inputs is a bad idea, and that I should stick to filtering outputs.

Several posts mention HDIV and other third-party security solutions, but I'd rather not introduce a new third-party dependency to my project for something as basic as sanitization.

But filtering outputs seems inconvenient and error-prone. Are all the developers who touch my web app expected to remember to use c:out for EVERY output value on EVERY JSP page? Surely a global setting would be better? What's the best practice here?

Thanks in advance for your advice.

Community
  • 1
  • 1
Steve Saporta
  • 4,581
  • 3
  • 30
  • 32
  • You also have the option to sanitize your output **before** you add it as an attribute to your model. – Bart Dec 23 '13 at 21:20
  • Every depeloper with some experiance knows that he must escape strings (Ehen they switch its context/meta data charachters). And the easyst and common way, Ehen switching to HTML in jsp's is to usw c:out. So the Nest practice is to use c:out – Ralph Dec 23 '13 at 21:21

2 Answers2

3

This is a big question. There is no easy or automatic way to do it. Every developer on your team should understand the basic aspects of this. The best practices are going to include input validation and output escaping.

Additionally, if you handle input that is expected to be html markup, you will have additional complications. AntiSAMY is a good place to go for that.

This article is a good place to start: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Matt Jennings
  • 1,148
  • 6
  • 11
0

No there is no way in Spring MVC to sanitize user inputs.

However you can prevent XSS by setting defaultHtmlEscape to true in web.xml

Adding this will not sanitize data it will encode it, preventing XSS.

Refer to the link below for syntax

How do I prevent people from doing XSS in Spring MVC?

Community
  • 1
  • 1
Noname
  • 349
  • 4
  • 11