• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Query String Parameters encoding to prevent XSS

 
Srinivas Yell
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

There are some filters in my web page. When i select them, they will be appended to the URL as query string name-value pair. For example, when i select the size as small in the page, the URL becomes http://www.myapplication.com/items/?size=small.

What i wanna do is to encode the query string parameter values in the URL. i.e. if some user tries modifying the URL as below:
http://myapplication.com/items/?size=<script>alert('there is a vulnerability!!')</script>, then all the special symbols must in the query string URL must be replaced with their equivalent encoded values. This is mainly to prevent XSS attacks.

How do i do it ?

Thanks,
Srinivas
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34669
367
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You have a few choices:
1) Use whitelist validation for the sizes to only allow certain sizes or letter characters.
2) Use a number to size mapping so text can't be entered there at all
 
Raghavan Muthu
Ranch Hand
Posts: 3381
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Srinivas Yell,

Welcome to JavaRanch The very first post of yours is really good.

I second Jeanne Boyarsky's #2 wherein you can map the size attribute to have only numbers and NOT strings.

Otherwise, you can have a simple mapping for the special characters to be replaced -- < with <, > with < etc.,
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic