0

Currently the api looks like : -

@Autowired
private EmployeeService empService;

@ApiOperation(value = "adds a new Employee")
@PostMapping(value = /add)
public EmployeeDetails employeeDetails(@RequestBody @Valid @NotNull EmployeeDetails empDetails) {
        empservice.addNewEmployee(empDetails);
    }

EmployeeDetails :-

import lombok.Data;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
@Entity
@Data
public class EmployeeDetails {
    
    private Long id;

    private String firstName;

    private String lastName;

    @Override
    public String toString() {
        return "EmployeeDetails{" +
                "id=" + id +
                ", firstName='" + firstName + '\'' +
                ", lastName='" + lastName + '\'' +
                '}';
    }
}

So the issue is to avoid xss attack

for example if it this piece of code <script>alert("hello")</script> is placed in place of first Name then also it passes and gives 200 in response

OR

if we give 1.2 in case of ID even then the response is 200

How do I fix that

Mohit Agrawal
  • 3
  • 1
  • 4

1 Answers1

0

You can use @SafeHtml annotation from Hibernate validator

@Entity
@Data
@SafeHtml //this do the trick
public class EmployeeDetails {
    
    private Long id;

    private String firstName;

    private String lastName;

    @Override
    public String toString() {
        return "EmployeeDetails{" +
                "id=" + id +
                ", firstName='" + firstName + '\'' +
                ", lastName='" + lastName + '\'' +
                '}';
    }
}

see example here: https://www.javatips.net/blog/anti-cross-site-scripting-xss-for-java-web-application

Also, you can implement a custom filter to escape the html's characters. See here: Spring Boot escape characters at Request Body for XSS protection

maximus
  • 716
  • 7
  • 18