1

I have a form that people can add their stuff. However, in that form, if they enter JavaScript instead of only text, they can easily inject whatever they want to do. In order to prevent it, I can set escapeXml to true, but then normal HTML would be escaped as well.

<td><c:out value="${item.textValue}" escapeXml="true" /></td>

Is there any other way to prevent JavaScript injection rather than setting this to true?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
paradisonoir
  • 2,892
  • 9
  • 30
  • 41
  • It wasn't clear from the original question that the code/feature in question is about JSP, so I've added the `jsp-tags` tag. But I'm not familiar with JSP, so if there's a more appropriate tag for this, please change it to that. – Lèse majesté Nov 17 '10 at 17:12

3 Answers3

7

I'd recommend using Jsoup for this. Here's an extract of relevance from its site.

Sanitize untrusted HTML

Problem

You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

Solution

Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

So, all you basically need to do is the the following during processing the submitted text:

String text = request.getParameter("text");
String safe = Jsoup.clean(text, Whitelist.basic());
// Persist 'safe' in DB instead.

Jsoup offers more advantages than that as well. See also Pros and Cons of HTML parsers in Java.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • I am going to take a look at this library, but I guess sometimes it's hard to introduce a new library in some organizations. For sure, I will use as much as I can – paradisonoir Nov 22 '10 at 21:54
  • I know this is an old anser but I'm running into a similar issue. I have JSTL outputting values from a form onto a page using and I'm wondering where do I place the jsoup code so that it works JSTL – Francisc0 Jun 19 '13 at 14:37
  • @Francis: Just in a servlet before saving in DB and/or forwarding to JSP? – BalusC Jun 19 '13 at 14:52
3

You need to parse the HTML text on the server as XML, then throw out any tags and attributes that aren't in a strict whitelist.
(And check the URLs in href and src attributes)

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
1

This is exactly the intent of the OWASP AntiSamy project.

The OWASP AntiSamy project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server. The term "malicious code" in regards to web applications usually mean "JavaScript." Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner. So we take care of that too.

Another alternative is the OWASP HTMLSanitizer project. It is faster, has less dependencies and actively supported by the project lead as of now. I don’t think it has gone through any GA/Stable release yet so you should consider that when evaluating this library.

jsears
  • 4,511
  • 2
  • 31
  • 36