0

I am writing a servlet filter to safeguard the site from XSS Vulnerabilities. I need a whitelist that I can apply against HTTPRequest so that I can avoid any malicious script and characters.

Can I use regular expressions as a whitelist? Which regular expression should I use so that it will include all the characters of the URL. Any other solution is also welcome.

Please suggest me how to create whitelist for the URL of the application.

Thanks in advance.

Update - Please do not mark its down vote. See my research in comments. I already researched a lot about this.

Manoj Kumar
  • 380
  • 5
  • 20
  • I already used JSTL tag or fn:escapeXml() for character encoding. I want to apply extra security via filter so that incase of malicious script or characters it will not hit to servlet and JSP. – Manoj Kumar Jul 27 '16 at 13:52
  • I need white list to implement first level of security and on second level I already implemented character encoding. So please don't mark this duplicate. – Manoj Kumar Jul 27 '16 at 13:55
  • My customer wants to mark the request as bad request in response in case malicious characters injected in the URL. That's why I need whitelist. – Manoj Kumar Jul 27 '16 at 13:59

2 Answers2

1

You need to use a real HTML parser to prevent XSS, such as JSoup. Don't use regex.

Here is a simplistic filter I made for Spring Security which blocks (hopefully) all inbound XSS:

http://blog.databasepatterns.com/2015/08/simple-inbound-xss-filter-for-spring.html

You could modify it for a non-Spring environment, or allow certain tags, much like Hibernate Validator's @SafeHTML annotation does.

Neil McGuigan
  • 46,580
  • 12
  • 123
  • 152
0

You can use a combination of ESAPI, JSoup (has a whitelist function) and JSR-303 to protext against XSS.

Take a look at my response here: How to Modify QueryParam and PathParam in Jersey 2

Alessandro Giannone
  • 885
  • 1
  • 10
  • 27