• Post Reply Bookmark Topic Watch Topic
  • New Topic

Sanitization routines for HTML input  RSS feed

 
Tom Blough
Ranch Hand
Posts: 263
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Anybody have any favorite sanizitation routines for cleaning up HTML form data? I'd like not to have to re-invent the wheel - plus I'm not good enough in all the technologies available to be able to correctly prevent injection attempts.

Thanks,
 
Jeanne Boyarsky
author & internet detective
Sheriff
Posts: 36446
454
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tom,
The easiest thing to do is use URLEncoder before outputting values. This converts < into &lt; and the like.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually URLEncoder will not do this. URLEncoder is for use to encode parameters to be placed on a URL.

There is no native Java API that will perform HTML encoding. However, on a JSP page, use of the <c ut> tag will cause the output to be HTML encoded.
[ September 13, 2005: Message edited by: Bear Bibeault ]
 
Tom Blough
Ranch Hand
Posts: 263
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, it's data coming to the servlet from a form to be stored in a database. I'd like to clean it up before storing in the database. Right now, I only have a few test pages where the database info is queried and presented via the web, bit I envision that to increase.

So, I need to prevent sql injection and cross site scripting. I would prefer to do this on the server side since it is possible to bypass anything on the client side.

I was hoping for something that would strip any html tags, and remove or convert metacharacters. The problem is gathering the set of metacharacters I need to remove - SQL, CSS, OS.... Just hoping that someone had already developed a Java library to handle this. Googling has turned up nothing java specific, although it looks like Perl has some neat modules for this on CPAN.

Thanks,
 
Tom Blough
Ranch Hand
Posts: 263
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here's what I came up with. I'm sure it's not complete and could be improved substantially, but it's a start.



Cheers,
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!