Rectangle 27 0

security XSS : input validation from server side?


@Gray Yes, I agree; was just trying to simplify (in this case leading to an over-simplification). :p

@mjsa <img src="" onerror="alert(1)"/> Just didn't want anyone to take your message literally. XSS doesn't always require script tags. I know you are saying that <,>,etc would get escaped here, but the comment itself could be misleading.

Also be careful of SQL injection and CSRF attacks. The OWASP Top Ten outlines some common vulnerabilities.

Essentially you need to substitute HTML special characters like < with their HTML entities like .

In JSP you can protect against this using JSTL tag or fn:escapeXml(). There is another answer that covers that here. In PHP you can try using the htmlspecialchars function.

So is there a sort of library to escape and validate the user input regarding if it's an html code, javascript.. (server side) ? In the jsp, I can't use the JSTL tag or fn:escapeXml() because I a have a list of objects that may contain a malicious code which I give to a table library to display the content of this list.

You just need to filter HTML tags, Javascript can't run unless you wrap it in <script> tags.

Note
Rectangle 27 0

security XSS : input validation from server side?


@Gray Yes, I agree; was just trying to simplify (in this case leading to an over-simplification). :p

@mjsa <img src="" onerror="alert(1)"/> Just didn't want anyone to take your message literally. XSS doesn't always require script tags. I know you are saying that <,>,etc would get escaped here, but the comment itself could be misleading.

Also be careful of SQL injection and CSRF attacks. The OWASP Top Ten outlines some common vulnerabilities.

Essentially you need to substitute HTML special characters like < with their HTML entities like .

In JSP you can protect against this using JSTL tag or fn:escapeXml(). There is another answer that covers that here. In PHP you can try using the htmlspecialchars function.

So is there a sort of library to escape and validate the user input regarding if it's an html code, javascript.. (server side) ? In the jsp, I can't use the JSTL tag or fn:escapeXml() because I a have a list of objects that may contain a malicious code which I give to a table library to display the content of this list.

You just need to filter HTML tags, Javascript can't run unless you wrap it in <script> tags.

Note
Rectangle 27 0

security XSS : input validation from server side?


Encode.forHtml("input here");
Encode.forJavaScript("input here");

The problem with XSS is that it's context dependent. You need to encode differently depending on where you're displaying the user output (e.g., different encoding for data you're placing between javascript tags, or in the uri, or between html tags). OWASP Java Encoder sets up different contexts you can encode/decode for. If the data is just output through a jsp tag, then I would use

This library also allows you to do the encoding through JSP tags in your JSP pages, but you'll have to dig around a bit to find the doco for that. I've always done it in Java.

You can also encode for javascript:

You can download it on the owasp site, or through maven (look on the github link).

Note
Rectangle 27 0

security XSS : input validation from server side?


Encode.forHtml("input here");
Encode.forJavaScript("input here");

The problem with XSS is that it's context dependent. You need to encode differently depending on where you're displaying the user output (e.g., different encoding for data you're placing between javascript tags, or in the uri, or between html tags). OWASP Java Encoder sets up different contexts you can encode/decode for. If the data is just output through a jsp tag, then I would use

This library also allows you to do the encoding through JSP tags in your JSP pages, but you'll have to dig around a bit to find the doco for that. I've always done it in Java.

You can also encode for javascript:

You can download it on the owasp site, or through maven (look on the github link).

Note
Rectangle 27 0

security XSS : input validation from server side?


If you can restrict the input to a string of alphanumeric characters or better yet a white list of authorized values, you are most likely safe. This means no spaces, no simple quotes or double quotes, no lower-than or greater than signs, no commas, no colons, no semi-colons... If you can't and you have no control over the rendering code as seems to be the case, then all bets are off.

The right way to address this would be to fix this library (which you have no control over) or to replace it with something better. The flaw is in the library, not in your code. XSS vulnerabilities exist because of rendering code which inserts data in unsafe locations and/or does not properly escape its output.

This being said, it might be possible to to secure your application without fixing/replacing the library. Or it might not. It largely depends on where the library inserts the user-supplied data.

Note
Rectangle 27 0

security XSS : input validation from server side?


If you can restrict the input to a string of alphanumeric characters or better yet a white list of authorized values, you are most likely safe. This means no spaces, no simple quotes or double quotes, no lower-than or greater than signs, no commas, no colons, no semi-colons... If you can't and you have no control over the rendering code as seems to be the case, then all bets are off.

The right way to address this would be to fix this library (which you have no control over) or to replace it with something better. The flaw is in the library, not in your code. XSS vulnerabilities exist because of rendering code which inserts data in unsafe locations and/or does not properly escape its output.

This being said, it might be possible to to secure your application without fixing/replacing the library. Or it might not. It largely depends on where the library inserts the user-supplied data.

Note