It's not a secret anymore!
The moose likes Servlets and the fly likes Servlet Filter for XSS prevention Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Servlet Filter for XSS prevention" Watch "Servlet Filter for XSS prevention" New topic

Servlet Filter for XSS prevention


Joined: Apr 20, 2007
Posts: 3
My application has been through security audit and I was told that there are XSS issues (parameters passed through URL are stored without filtering and that ouput is not entity encoded to take care of html metacharacters).

I have 2 questions:

1. I am planning to use servlet filter with antisamy to filter user input to script tag presence ( Does it takes care of all html metacharaters? Which policy file i should use, there is no requirement to enter html input.
2. How can i replicate this issue? I have tried injecting a. <BR SIZE="&{alert('XSS')}">
b. <script>alert(123)</script> with other user inputs through text fields but NO success in creating a alert while rendering jsp (through JSON and extJS). please suggest how can i reproduce this issue? the application does not take care of xss as of today
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63838

1. That's a question best answered by the author or by inspecting the code.
2. The problem is unlikely to manifest when simply returning info as JSON, as that's just data. It depends what you do with that data.

The easiest way to replicate the problem is to enter a script tag as a value that gets displayed in a JSP. Using <c:out> when displaying unsafe data solves 99% of the problem.

[Asking smart questions] [About Bear] [Books by Bear]
I agree. Here's the link:
subject: Servlet Filter for XSS prevention
It's not a secret anymore!