0

I am looking at the option to clean the URL for the possible XSS issue. Here is my high level of workflow.

  1. We keep trek of the user and the page journey using the analytics.
  2. To send the data to analytics, we use the in page DOM injection based on the java script provided by the analytics team.
  3. As part of the trekking, we need to send the page URI, here is how we are doing that in the jsp page.

data["pageName"]="${sanitizeInput(requestScope['javax.servlet.forward.request_uri'])}";

This is working fine and data is passed to the analytics without any issue except when someone try to pass some script data in the URL. I am finding lot of request with similar pattern

https://domainname/'%3bfunc(document.cookie)%3b'

The pattern is same, where the system is trying to send similar values. (passing the script in ''). Though most of it is taken care at the CDN level and we are redirecting the user to the 404 page but I still want to handle this while writing the page name on the 4040 page as well.

As an additional information sanitizeInput is using Jsoup internally.Can someone help me with the following questions

  1. What is the best way to handle similar issue?
  2. Is there a better option to remove/ clean the URL before using the value in the JSP?
  3. Any API/ library which can help me to clean the URL before using the value

Any other options to handle it correctly?

Umesh Awasthi
  • 23,407
  • 37
  • 132
  • 204
  • 1
    You actually don't want to escape HTML/XML (there Jsoup and JSTL fn:escapeXML are for). You just want to escape JS. Swap out `sanitizeInput` for `escapeEcmaScript` as shown in abovelinked duplicate. The word "URL" in your question title must be interpreted as "JavaScript variable". Whatever it in turn represents is in turn irrelevant. – BalusC Nov 11 '20 at 19:45
  • @BalusC: First thing I tried was the escapeEcmaScript. Let me see if I was doing something wrong in that or missing some step. Thanks for input!!! – Umesh Awasthi Nov 11 '20 at 20:58

0 Answers0