aspose file tools*
The moose likes Servlets and the fly likes Query String Parameters encoding to prevent XSS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Query String Parameters encoding to prevent XSS" Watch "Query String Parameters encoding to prevent XSS" New topic
Author

Query String Parameters encoding to prevent XSS

Srinivas Yell
Greenhorn

Joined: Apr 02, 2012
Posts: 2
Hi All,

There are some filters in my web page. When i select them, they will be appended to the URL as query string name-value pair. For example, when i select the size as small in the page, the URL becomes http://www.myapplication.com/items/?size=small.

What i wanna do is to encode the query string parameter values in the URL. i.e. if some user tries modifying the URL as below:
http://myapplication.com/items/?size=<script>alert('there is a vulnerability!!')</script>, then all the special symbols must in the query string URL must be replaced with their equivalent encoded values. This is mainly to prevent XSS attacks.

How do i do it ?

Thanks,
Srinivas
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30913
    
158

You have a few choices:
1) Use whitelist validation for the sizes to only allow certain sizes or letter characters.
2) Use a number to size mapping so text can't be entered there at all


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Raghavan Muthu
Ranch Hand

Joined: Apr 20, 2006
Posts: 3355

Hi Srinivas Yell,

Welcome to JavaRanch The very first post of yours is really good.

I second Jeanne Boyarsky's #2 wherein you can map the size attribute to have only numbers and NOT strings.

Otherwise, you can have a simple mapping for the special characters to be replaced -- < with <, > with < etc.,


Everything has got its own deadline including one's EGO!
[CodeBarn] [Java Concepts-easily] [Corey's articles] [SCJP-SUN] [Servlet Examples] [Java Beginners FAQ] [Sun-Java Tutorials] [Java Coding Guidelines]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Query String Parameters encoding to prevent XSS