• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

xss prevention in email compose and view pages

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi guys,

I don't know if this has been posted before. I searched but could not find anything relevant.

I was modifying my web application to prevent xss attacks. I went through the OWASP specification (http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) , which suggests performing html encoding, etc for user input.

I have incorporated that. But now i have to do xss prevention on my email compose and view pages. Here i need some html formatting like bold, italics, etc(so i don't want that html content to be encoded). Any suggestions how i should go about it ? how does yahoomail, gmail,etc do it? Also avoid the problem of double encoding when using email clients like Outlook

Anyone who has written a sample email client which also avoids the problem of xss ? Any sample programs would be great...

Thanks a lot...
abhishek
 
Sheriff
Posts: 22783
131
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'll move this to our HTML and JavaScript forum.
 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
anyone...? any ideas ??
 
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Only allow the tags you want and encode the rest. Make sure the tags do not include anything bad.

Most email clients will clean it up also, unless you wrote an email client too. lol

Eric
 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi eric.

Thanks for the reply.

I got what you are saying. But see i don't have a rich text editor. If i allow a bold tag <b> it has to be typed as follows :

<b>some text</b>

But if send such a mail to say gmail. It will not make the text bold. It will simply display <b>some text</b>.

2nd thing that i want to know is if i encode the tags when i receive the mail. And if i use it with an email client. Will the client try to encode it again resulting in double encoding problem ??

Thanks alot guys...
 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ok sorry ppl...

Got the prob...

Was not very clear with the concepts...

Thanks again
 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi eric...

I tried using owasp ESAPI project. It works fine. But it cleans the malicious content, like script tags etc.

What i want is to allow some tags in my view email page such as <b> but encode script tag as <script>

Composed mail will look like this :

<b>someText</b>
<script>alert('xss')</script>

Viewing the mail will look like this :

someText
<script>alert('xss')</script>

Are there any standard java tools/jars available which will do this ? because most of the things i saw encode everything or strip of script tags,etc.

Or should i try writing the entire thing from scratch ??


Thanks again...

Abhishek...
 
Fire me boy! Cool, soothing, shameless self promotion:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic