String safeOutput = ESAPI.encoder().encodeForHTML(request.getParameter("temp"));
Above is not working, it does not validating. (Inserted all required jars and imported all files). So can we use output validation directly?
Asked
Active
Viewed 1,179 times
0
Christian Gollhardt
- 16,510
- 17
- 74
- 111
ManthanB
- 404
- 2
- 5
- 21
-
What error message do you get? How does it "not validate"? – gustafc May 04 '15 at 11:42
2 Answers
1
Validate input
I would use Hibernate Validator's @SafeHtml annotation:
class MyEntity {
@SafeHtml
private String title;
...
}
Don't encode input, validate it. You want to prevent XSS or possible XSS in your database.
You can validate the input in your controllers and/or repositories.
Encode output
Use OWASP's Java Encoder Project. In a JSP, you can do:
<e:forHtml value="${attr}" />
Neil McGuigan
- 46,580
- 12
- 123
- 152
-
-
Hibernate Validator is the reference implementation for Bean Validation 1.1 . – Neil McGuigan May 04 '15 at 19:58
0
The code you pasted is not validation code. This is output escaping. If you want to validate a piece of code, you want to use one of the many ESAPI.validator().getValidInput() methods that works in combination with validation.properties.
Also, if your idea is to do validation on output, DON'T do that. In principle it means you'll accept malicious data in the application and then only check for its evilness when you go to output it. Keep it from entering your application in the first place! Escape the output. Always escape the output according to context!
This answer gives four examples of how to think about output escaping--don't forget about your contexts!!!! And the accepted answer also guides you in a more complete solution for handling XSS beyond that.
