File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes Query String Parameters encoding to prevent XSS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Query String Parameters encoding to prevent XSS" Watch "Query String Parameters encoding to prevent XSS" New topic

Query String Parameters encoding to prevent XSS

Srinivas Yell

Joined: Apr 02, 2012
Posts: 2
Hi All,

There are some filters in my web page. When i select them, they will be appended to the URL as query string name-value pair. For example, when i select the size as small in the page, the URL becomes

What i wanna do is to encode the query string parameter values in the URL. i.e. if some user tries modifying the URL as below:<script>alert('there is a vulnerability!!')</script>, then all the special symbols must in the query string URL must be replaced with their equivalent encoded values. This is mainly to prevent XSS attacks.

How do i do it ?

Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 33130

You have a few choices:
1) Use whitelist validation for the sizes to only allow certain sizes or letter characters.
2) Use a number to size mapping so text can't be entered there at all

[OCA 8 book] [Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
Raghavan Muthu
Ranch Hand

Joined: Apr 20, 2006
Posts: 3381

Hi Srinivas Yell,

Welcome to JavaRanch The very first post of yours is really good.

I second Jeanne Boyarsky's #2 wherein you can map the size attribute to have only numbers and NOT strings.

Otherwise, you can have a simple mapping for the special characters to be replaced -- < with <, > with < etc.,

Everything has got its own deadline including one's EGO!
[CodeBarn] [Java Concepts-easily] [Corey's articles] [SCJP-SUN] [Servlet Examples] [Java Beginners FAQ] [Sun-Java Tutorials] [Java Coding Guidelines]
I agree. Here's the link:
subject: Query String Parameters encoding to prevent XSS
It's not a secret anymore!