1

I have a simple jsp that has 3 inputs (name, id and email) and a form submit. From doing some reading ,it looks like my input values should be encoded.How can I do this? Can anyone provide an example For eg

 <td><input id="email" name="email" value=""/></td>
 <td><input id="fullname" name="fullname" value=""/></td>
 <td><input id="userId" name="userId" value=""/></td>
 <input type ="submit" value ="Get User"  />

How should the email, fullname and uerId be encoded? Also I have seen example as follows:

  String safeOutput = ESAPI.encoder().encodeForHTML( Comment)

Should the encoding be done both to the HTML and to the java code? I would appreciate some tips,as I am confused about this. Thanks

cubitouch
  • 1,929
  • 15
  • 28
Mary
  • 1,505
  • 5
  • 27
  • 44
  • I'm not sure where you read this, but it's not required. – Diodeus - James MacFarlane Jan 08 '14 at 20:34
  • well, i am not sure how to go about XSS fixes for a simple jsp.I read this :https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes – Mary Jan 08 '14 at 20:42

3 Answers3

0

Basically if someone puts any HTML in any of your parameters and you then display those on your site, their HTML will be parsed by the browser. They could use this to screw up your formatting, i.e. leave a B tag unclosed, or they could put in a script tag pointing to a script on another site.

The two most basic ways to protect against it are:

  1. Check for < or > in any user input data, and reject the data if it contains either of them.
  2. Nullify any HTML entered by the user by replacing all < and > with &lt; and &gt; or [ and ].

Those will work if you want to disallow all HTML. But if you want to allow the user to input some HTML, like safe tags (B, I, EM, STRONG), then you need a library that removes all HTML tags not on a whitelist.

developerwjk
  • 8,619
  • 2
  • 17
  • 33
  • Thanks for the response.some of the examples that I have seen online, show that the html input values are escaped. .I have also seen examples where it is done in java code as String safeOutput = ESAPI.encoder().encodeForHTML(request.getParameter("comment"))- should the encoding be done both at the html and in the servlet/controller? – Mary Jan 09 '14 at 14:18
  • The example in your first comment is because if you are going to write user input back into html attributes (e.g. value="<%=userinput%>") then you also need to escape "'s because if not they can close your attribute and insert other attributes. The most basic way would be to replace " with " – developerwjk Jan 09 '14 at 21:32
0

You should ideally be using some security frame works like HDIV (HTTP Data Integrity Validator). We use it for a large eCommerce application and just got our security review successful.

Some great features

  • Java based
  • Supports frame-works like - struts/spring-mvc/jsf/servlets etc
  • In-built filters/interceptors for handling injections/XSS/CSRF attacks etc

Extract from HDIV site

HDIV is an open-source framework that eliminates or mitigates web security risks by design for some of the most used JVM web frameworks

avijendr
  • 3,958
  • 2
  • 31
  • 46
0

It is practically impossible to prevent people entering fragments of HTML in general text fields, because you might want to allow them to enter "special" characters, such as & < and >. So instead of trying to prevent or remove HTML, it might be better to ensure that when it is displayed, it is done so in a safe manner. The JSP c:out action does that. Instead of writing

 <p>You said: ${userMessage}</p>

write

 <p>You said: <c:out value="${userMessage}"/></p>
Community
  • 1
  • 1
Raedwald
  • 46,613
  • 43
  • 151
  • 237