2

In my Java EE project, I set a filter in web.xml file which will use the Class MyHttpServeltRequestWrapper (extends HttpServletRequestWrapper). I am overriding the methods getParameter/ getParametervalues method in it inorder to prevent any XSS attacks.

I'm performing HTML escaping on parameter values.

Can someone please tell if it is a good idea to redefine the methods like

  • getRequestURL(),
  • getRequestURI(),
  • getQueryString(),
  • getCookies() methods to put in XSS prevention logic.

Can I use URLEncoder on values returned by getRequestURL(), getRequestURI(), getQueryString()?

And what about the getCookies methods? In what way it makes my pages vulnerable to attacks if I leave my getcookies() method unsanitized?

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Sridhar
  • 29
  • 2
  • 3

1 Answers1

0

You're going the wrong path as to XSS prevention. XSS does not harm in server side code. It only harms in the generated HTML output. It will harm when you inline user-controlled input unescaped among the existing HTML source code so that it get interpreted by the browser as part of real HTML source code. You need to replace HTML special characters like <, >, etc by &lt;, &gt;, etc so that they get displayed as-is instead.

Do it in the view side (JSP) only. Just use JSTL <c:out> or fn:escapeXml() everywhere you're redisplaying user-controlled input. They will escape HTML special characters.

E.g.

<c:out value="${someBean.someUserControlledValue}" />
<c:out value="${cookie.cookiename}" />
<c:out value="${header.headername}" />
<c:out value="${param.paramname}" />
<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555