1

i want to protect my website form xss, and i want to assure that all my data are correct and consistent, so i don't want to allow to add any scripts to my db, that's because my data may be used by other web services , so i want to be sure that my data is correct and will not cause any problems to others.

I want to make validation only in the input of the data , not at the output, hence i will make the validation only once, and also i will be sure that no scripts exist in my db .

EDIT: please check the last comment I added.

palAlaa
  • 9,500
  • 33
  • 107
  • 166
  • Lot of duplicates here: http://stackoverflow.com/questions/tagged/jsp+xss – BalusC Nov 05 '10 at 21:25
  • i edit my question, please check it. – palAlaa Nov 24 '10 at 01:01
  • 1
    Then this is the one you want: http://stackoverflow.com/questions/3587199/how-to-purify-html-code-to-prevent-xss-attacks-in-java-or-jsp It's in the list of duplicates. – BalusC Nov 24 '10 at 02:35
  • @Alaa, in what way tha answer given by @BalusC does not solve your problem? – Bozho Nov 24 '10 at 09:18
  • @Bozho ,@BlausC answer allows xss to be added to te db, then he makes validation at the output to escape any xml characters, and in the system i work, the data will be shared with more than one party so i can't force them to make validation at each output, they need the pure ,consistent and trusted data . – palAlaa Nov 25 '10 at 01:39
  • @Alaa - why do you think so? You can use the same code to sanitize the input and store it. – Bozho Nov 25 '10 at 07:02
  • @Bozho, how can i use the same code to sanitize the input ?since fn:escapeXml() doesn't remove xss charachters, and it allows the db engine to store it simpicitly!!and this by itself could cause maaaaaaany problems to any other system may share me the same db? – palAlaa Nov 25 '10 at 07:37
  • @Alaa - are we talking about the same code? I mean the one with jsoup, the upvoted comment of BalusC – Bozho Nov 25 '10 at 08:15
  • @Bozho, yes we r talking about using c:out at the output and fn:escapeXml() at the input – palAlaa Nov 25 '10 at 08:33
  • it seems - no we are not.. did you check the Jsoup code by BalusC? – Bozho Nov 25 '10 at 08:47
  • what is Jsoup????where can i found this code? – palAlaa Nov 25 '10 at 09:54
  • 1
    You seem to be ignoring the link in my 2nd comment. Here's it again: http://stackoverflow.com/questions/3587199/how-to-purify-html-code-to-prevent-xss-attacks-in-java-or-jsp. If you want me to repost this as an answer in your question, then say so. – BalusC Nov 26 '10 at 03:41
  • @BlausC,this answer sounds great, but how can i take any parameter from http request ? i know that i should specify the name of a parameter request.getParameter("param name");?? – palAlaa Nov 26 '10 at 14:40
  • @BlausC - Can u please repost ur answer to my question, i want to upvoted it ?and can u please answer my qeustion in the previous comment? – palAlaa Nov 29 '10 at 01:51

2 Answers2

5

Use some Filter to sanitize HTTP request data.

You may go for jsoup, it is very handy:

String unsafe = "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
// now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

Ref: http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer

Puspendu Banerjee
  • 2,631
  • 16
  • 19
0

In short, you can write filter which does proper escaping of User input(map to relevant URL mapping). There could be readily available plugin to do this but I am not aware.
You can refer to this thread XSS prevention in JSP/Servlet web application

Community
  • 1
  • 1
ch4nd4n
  • 4,110
  • 2
  • 21
  • 43
  • using ${fn:escapeXml(param.foo)} as @BlusC says , allows '<','>','," to be inserted to db , i tried it before and it doesn't work! – palAlaa Nov 05 '10 at 18:38
  • There is commons lang API that you can use to encode and decode. http://commons.apache.org/lang/index.html – ch4nd4n Nov 05 '10 at 19:08
  • 3
    @Alaa: that prevents user-entered HTML being interpreted literally in the view. HTML won't be interpreted in the DB so that does totally not harm. The DB only understands SQL (for which you would like to prevent SQL injection attacks, but that's a different subject). XSS escaping needs to be done on **output** only, not on **input**. The `c:out` and `fn:escapeXml()` does exactly that. @ck-: I don't see how a filter is useful in this. – BalusC Nov 05 '10 at 21:23
  • @BalusC Filter can look into the parameters submitted, escape html (or whatever mark up). One would not have to bother about it on the front end. Alternate way is how you propose. Looking into all the params might be an expensive way to do things. – ch4nd4n Nov 05 '10 at 22:33
  • @BalusC i use c:out with output and fn:escapeXML() in input and it prevent execution of scripts in the view and it works properly , many thanx, but i didn't get sth , when i make fn:escapeXml() for the input u said that "This will escape under each <, >, ", ' and & which may malform the rendered HTML into HTML/XML entities as <, >, ", ' and &." , at what tier this happened??? , since i open my db and found it like this" " , and when i make c:out for the output how it remember that this field has been escaped before? – palAlaa Nov 06 '10 at 19:55
  • @balusC i am so sorry cause i didn't understand your explanation quickly :(. – palAlaa Nov 06 '10 at 19:57
  • 1
    @Alaa: JSTL and EL get executed in the view. The c:out and fn:escapeXml doesn't change the input. It just changes the output. – BalusC Nov 06 '10 at 21:03
  • @BlausC u said JSTL and EL executed in view only , that's fine ,but why u said we should make escapeSML() in input ,eg: – palAlaa Nov 07 '10 at 18:59