1

I have a XSS vurnerability in one of a html input field (<input type="text">) which I wanted to take care of. The html input is for social media urls (for ex. Facebook, Linkedin, Jabber, Skype etc.) and is later displayed as: <a href=link>link</a>.

There is no validation so users may input whatever they want. Then, when someone clicks the link in app and if there is dangerous javascript, it will be executed. What I decided to do is to escape these urls in output so they will not execute any javascript on click. I am using jsf as view and I couldn't find tool which would help me fix it properly.

Firstly, I wanted to do some basic url validation before saving users input but because of complexity of the urls (links may not start with protocol and it can may be any name because some of social media will have default address prefix (scheme) in system, for ex skype: for Skype, so urls may be like: linkedin.com/in/name or asdqwe) I had to abandon this idea.

What I tried to do is escape these urls with method StringEscapeUtils.escapeJavaScript from apache.commons.lang, but it is not preventing from every type of dangerous code, for example it will not prevent for inputing : javascript:alert(0); so I am looking for a tool which could provide me escaping these url to completely or almost completely prevent from xss. Thank you for any help.

cerbin
  • 1,180
  • 15
  • 31
  • 1
    "There is no validation".. I'd suggest to add validation. See https://stackoverflow.com/questions/6047866/how-to-perform-validation-in-jsf-how-to-create-a-custom-validator-in-jsf – Jasper de Vries Jan 15 '20 at 16:27
  • If you don't want validation, this question is not jsf related. (Escaping a url is not something jsf has) – Kukeltje Jan 15 '20 at 17:36

1 Answers1

3

Actually you should validate input for URL format, via UrlValidator to ensure that interactive content (in your case - hyperlink) matches your format and can be clicked safely. Example below:

Construct a UrlValidator with valid schemes of "http", and "https".

String[] schemes = {"http","https"}.
UrlValidator urlValidator = new UrlValidator(schemes);
if (urlValidator.isValid("https://facebook.com")) {
   System.out.println("url is valid");
} else {
   System.out.println("url is invalid");
}

prints out "url is valid"

stck
  • 72
  • 1
  • 11
  • Firstly I was thinking about it, validating the input to prevent for not entering valid url but the problem with it is that user can input anything there, urls may be something like: linkedin.com/in/asd or asdqwe (because every social media may have prefix address, for example skype: for Skype, so creating whitelist is pretty hard and I decided to escape output instead. – cerbin Jan 15 '20 at 16:23
  • 1
    Hi @cerbin: next time state these in your question, it saves someone from spending time writing an answer that useless to you or they can directly comment on that. Personally, I'd go for a validator and small whitelist. – Kukeltje Jan 15 '20 at 16:36
  • @Kukeltje Yes sorry about that, I edited my question to take into account my comment above. – cerbin Jan 15 '20 at 17:20
  • 1
    @cerbin: check https://commons.apache.org/proper/commons-validator/apidocs/org/apache/commons/validator/routines/UrlValidator.html#ALLOW_ALL_SCHEMES – Kukeltje Jan 15 '20 at 17:38