4

I have an application built with Struts 2. It has some issues with Cross-site scripting (XSS) attacks. I want to encode some of the actions input parameters in a similar fashion to JSP <c:out value="${somevalue}"/> Is there any easy approach to do this in Struts 2? Java API method would do fine.

EDIT I found this one - http://www.owasp.org/index.php/Talk:How_to_perform_HTML_entity_encoding_in_Java

Any experience with it?

Boris Hamanov
  • 3,085
  • 9
  • 35
  • 58
  • You must specify how the XSS are possible, if you are using s:property then "

    hello!

    " will render as just that... you need to set the escape property to false for you to output html in the property tag at least. s:property is popular for output so you must be doing something different?     – Quaternion Feb 09 '11 at 18:21
  • I don't want to change the output, the application is too complex for that. – Boris Hamanov Feb 10 '11 at 07:47

3 Answers3

10

You can use

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>

${fn:escapeXml(someValue)}

There is also a Good API JSoup

Sanitize untrusted HTML

Problem

You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

Solution

Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

So, all you basically need to do is the the following during processing the submitted text:

String text = request.getParameter("text");
String safe = Jsoup.clean(text, Whitelist.basic());
// Persist 'safe' in DB instead.

There is struts2securityaddons

This project contains additional configuration, interceptors, and other code used to improve the security of struts 2 applications.

See also

Community
  • 1
  • 1
jmj
  • 237,923
  • 42
  • 401
  • 438
6

Escaping input parameters as an XSS prevention mean has several disadvanteges, especially:

  • You can't be certain about destination of the particular input data, therefore you can't choose proper escaping scheme.
  • Escaping input data masks lack of output escaping. Without consistent output escaping, you can still pass unescaped data to the unescaped output accidentially.
  • Presence of escaping complicates data processing.

Therefor it would be better to apply consistent output escaping instead.

See also:

axtavt
  • 239,438
  • 41
  • 511
  • 482
  • 1
    Yes, it would be better to escape output, but it is very easy to miss output escape as it applies to multiple places, while input intake is much more centralized and rarely modified. I am certain that I don't need HTML markup in my input. – Boris Hamanov Feb 09 '11 at 10:04
  • 1
    Still, escaping on the inbound is sketchy. What if new attacks methods are discovered -- are you going to reincode *all* the data that you've amassed thus far? Also, you assume you always want to output html. What if in the future you want to emit text/plain? you'll have all these funky html escape codes in your output. – NobodyMan Feb 03 '12 at 06:07
1

There is no easy, out of the box solution against XSS with struts 2 tags. The OWASP ESAPI API has some support for the escaping that is very usefull, and they have tag libraries.

My approach was to basically to extend the stuts 2 tags in following ways.

  1. Modify s:property tag so it can take extra attributes stating what sort of escaping is required (escapeHtmlAttribute="true" etc.). This involves creating a new Property and PropertyTag classes. The Property class uses OWASP ESAPI api for the escaping.
  2. Change freemarker templates to use the new version of s:property and set the escaping.

If you didn't want to modify the classes in step 1, another approach would be to import the ESAPI tags into the freemarker templates and escape as needed. Then if you need to use a s:property tag in your JSP, wrap it with and ESAPI tag.

I have written a more detailed explanation here.

http://www.nutshellsoftware.org/software/securing-struts-2-using-esapi-part-1-securing-outputs/

I agree escaping inputs is not ideal.

brett.carr
  • 169
  • 1
  • 3