Spring MVC Escape Request Body

Question

Is there any thing in spring security that will help escape all the incoming request bodies for XSS injection?

not that I know of. Have you looked at the following posts? http://stackoverflow.com/questions/5769847/how-to-avoid-apps-from-xss-attacks , http://stackoverflow.com/questions/19824338/avoid-xss-and-allow-some-html-tags-with-javascript/19943011#19943011 — tom, Jun 06 '14 at 09:16

score 1 · Answer 1 · answered Jun 06 '14 at 11:22

XSS can be prevented using OWASP ESAPI framework. Implement a filter to intercept request parameters & encode them using Encoder interface's wide array of method to encode data for HTML, CSS, JavaScripts etc.

String safeString = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );

I would recommend to go with the ESAPI, but if you choose NOT to use it, then you can implement the filter with following method.

private String stripXSS(String value) {
        if (value != null) {
            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
            // avoid encoded attacks.
            // value = ESAPI.encoder().canonicalize(value);

            // Avoid null characters
            value = value.replaceAll("", "");

            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid anything in a src='...' type of expression
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid eval(...) expressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid expression(...) expressions
            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid javascript:... expressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid vbscript:... expressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // Avoid onload= expressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }

Code source: Anti cross-site scripting (XSS) filter for Java web apps

That doesn't solve the problem of escaping the RequestBody, only the parameters and headers. — renanleandrof, Mar 22 '18 at 21:46
This is a concept introduced to OP. It can be extended efficiently to work with input in any part of Request object. — Shishir Kumar, Apr 08 '18 at 11:33

Spring MVC Escape Request Body

1 Answers1