My application has been through security audit and I was told that there are XSS issues (parameters passed through URL are stored without filtering and that ouput is not entity encoded to take care of html metacharacters).
I have 2 questions:
1. I am planning to use
servlet filter with antisamy to filter user input to script tag presence (
http://bazageous.wordpress.com/). Does it takes care of all html metacharaters? Which policy file i should use, there is no requirement to enter html input.
2. How can i replicate this issue? I have tried injecting a. <BR SIZE="&{alert('XSS')}">
b. <script>alert(123)</script> with other user inputs through text fields but NO success in creating a alert while rendering
jsp (through JSON and extJS). please suggest how can i reproduce this issue? the application does not take care of xss as of today