Form security by replacing '>', '<' characters

Question

i create a web form with JSP, and for preventing attacks I do the following:

input.replace("<", "something else");
input.replace(">", "something else");

so a user cannot add HTML or other tags inside a form.

Is this enough to prevent attacks of this kind(Insertions of HTML or other tags inside my website)??

Thanks you JH. G.

What if someone then fills in `<script>alert('got you!')</script>` so they can attack the system that gets this data AFTER yours? — Marc B, May 24 '11 at 17:13

score 3 · Accepted Answer · answered May 24 '11 at 17:07

3

In short, no. I recommend that you should checkout the ESAPI project for this. They have built in tools to HTML encode requests and responses as to prevent XSS attacks.

answered May 24 '11 at 17:07

CtrlDot

2,463
14
11

Why no? Could you give me an example of an attack? – Jh. G. May 24 '11 at 17:08
2

Sure. Checkout http://ha.ckers.org/xss.html for a good cheatsheet on the list of XSS attacks. – CtrlDot May 24 '11 at 17:12

score 0 · Answer 2 · edited May 23 '17 at 12:19

0

This is not entirely the right way. It's not only incomplete as ', " and & also needs to be escaped, but you should actually be using JSTL <c:out> or fn:escapeXml() to escape HTML/XML entities in the view side.

E.g.

<c:out value="${bean.value}" />
<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />

Form security by replacing '>', '<' characters

2 Answers2

See also: