This week's book giveaway is in the OCAJP 8 forum.
We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line!
See this thread for details.
The moose likes Servlets and the fly likes Query String Parameters encoding to prevent XSS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of OCA Java SE 8 Programmer I Study Guide this week in the OCAJP 8 forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Query String Parameters encoding to prevent XSS" Watch "Query String Parameters encoding to prevent XSS" New topic

Query String Parameters encoding to prevent XSS

Srinivas Yell

Joined: Apr 02, 2012
Posts: 2
Hi All,

There are some filters in my web page. When i select them, they will be appended to the URL as query string name-value pair. For example, when i select the size as small in the page, the URL becomes

What i wanna do is to encode the query string parameter values in the URL. i.e. if some user tries modifying the URL as below:<script>alert('there is a vulnerability!!')</script>, then all the special symbols must in the query string URL must be replaced with their equivalent encoded values. This is mainly to prevent XSS attacks.

How do i do it ?

Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 32635

You have a few choices:
1) Use whitelist validation for the sizes to only allow certain sizes or letter characters.
2) Use a number to size mapping so text can't be entered there at all

[OCA 8 book] [Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
Raghavan Muthu
Ranch Hand

Joined: Apr 20, 2006
Posts: 3381

Hi Srinivas Yell,

Welcome to JavaRanch The very first post of yours is really good.

I second Jeanne Boyarsky's #2 wherein you can map the size attribute to have only numbers and NOT strings.

Otherwise, you can have a simple mapping for the special characters to be replaced -- < with <, > with < etc.,

Everything has got its own deadline including one's EGO!
[CodeBarn] [Java Concepts-easily] [Corey's articles] [SCJP-SUN] [Servlet Examples] [Java Beginners FAQ] [Sun-Java Tutorials] [Java Coding Guidelines]
I agree. Here's the link:
subject: Query String Parameters encoding to prevent XSS
It's not a secret anymore!