wood burning stoves 2.0*
The moose likes HTML, CSS and JavaScript and the fly likes xss prevention in email compose and view pages Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "xss prevention in email compose and view pages" Watch "xss prevention in email compose and view pages" New topic
Author

xss prevention in email compose and view pages

abhishek kaul
Greenhorn

Joined: May 13, 2010
Posts: 8
Hi guys,

I don't know if this has been posted before. I searched but could not find anything relevant.

I was modifying my web application to prevent xss attacks. I went through the OWASP specification (http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) , which suggests performing html encoding, etc for user input.

I have incorporated that. But now i have to do xss prevention on my email compose and view pages. Here i need some html formatting like bold, italics, etc(so i don't want that html content to be encoded). Any suggestions how i should go about it ? how does yahoomail, gmail,etc do it? Also avoid the problem of double encoding when using email clients like Outlook

Anyone who has written a sample email client which also avoids the problem of xss ? Any sample programs would be great...

Thanks a lot...
abhishek
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19783
    
  20

I'll move this to our HTML and JavaScript forum.


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
abhishek kaul
Greenhorn

Joined: May 13, 2010
Posts: 8
anyone...? any ideas ??
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
Only allow the tags you want and encode the rest. Make sure the tags do not include anything bad.

Most email clients will clean it up also, unless you wrote an email client too. lol

Eric
abhishek kaul
Greenhorn

Joined: May 13, 2010
Posts: 8
Hi eric.

Thanks for the reply.

I got what you are saying. But see i don't have a rich text editor. If i allow a bold tag <b> it has to be typed as follows :

<b>some text</b>

But if send such a mail to say gmail. It will not make the text bold. It will simply display <b>some text</b>.

2nd thing that i want to know is if i encode the tags when i receive the mail. And if i use it with an email client. Will the client try to encode it again resulting in double encoding problem ??

Thanks alot guys...
abhishek kaul
Greenhorn

Joined: May 13, 2010
Posts: 8
Ok sorry ppl...

Got the prob...

Was not very clear with the concepts...

Thanks again
abhishek kaul
Greenhorn

Joined: May 13, 2010
Posts: 8
Hi eric...

I tried using owasp ESAPI project. It works fine. But it cleans the malicious content, like script tags etc.

What i want is to allow some tags in my view email page such as <b> but encode script tag as <script>

Composed mail will look like this :

<b>someText</b>
<script>alert('xss')</script>

Viewing the mail will look like this :

someText
<script>alert('xss')</script>

Are there any standard java tools/jars available which will do this ? because most of the things i saw encode everything or strip of script tags,etc.

Or should i try writing the entire thing from scratch ??


Thanks again...

Abhishek...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: xss prevention in email compose and view pages