This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin in Action and have Dmitry Jemerov & Svetlana Isakova on-line!
See this thread for details.
Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

URL char  RSS feed

 
mark I thomas
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear, I posted one question and it was handled in HTML section, thanks. As a follow-up, I would like to ask --

I want to make sure my site is cross site scripting (XSS) safe. So I want to "translate" some char into safe format. Do you think this will be a good approach --

use a servlet filter and scan the URL. replace XSS javascript char into safe format and then forward servlet to this newly modified URL. Questions

1) shall I convert double quote (") into %22 or & quot ; ?
2) there is a problem when I forward servlet to the new URL -- it will still have to go through the filter, and then when it see "&", it will RE-convert this char ! But I don't want it to do that because this "&" char is associated with other chars as a unit.

Thanks.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry I don't understand what you are trying to do. There is no need to filter incoming URLs. What would you hope to accomplish? Rather, always be sure to validate any incoming data before using it.
 
mark I thomas
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
Sorry I don't understand what you are trying to do. There is no need to filter incoming URLs. What would you hope to accomplish? Rather, always be sure to validate any incoming data before using it.


Bear, if you want, please read

http://www.cgisecurity.com/articles/xss-faq.shtml

http://www.stripesframework.org/display/stripes/XSS+filter

http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, I know about XSS. What are you trying to do with your filter?
 
mark I thomas
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
Yes, I know about XSS. What are you trying to do with your filter?


Bear, I want to do similar thing like those links do -- converting those malicious characters into "safe" format and pass to server. I guess that's how those people did. But my questions are ---

1. Why did they choose to take hard-coded (more or less) approach ? They specified the chars that need to be converted one by one. Why can't we just do URLEncode for the whole thing ? Will it work ?

2. More importantly, I notice in one link they converted " into & quot ;
but I remember you said it should be converted into %22, right ? which format should I convert it to ? and why ?

Thank you.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure who the "they" is that you are talking about (and sorry, but I don't have the time to try and find out). but it sounds like you are having trouble distinguishing between URL encoding and HTML encoding.

URL encoding is used to allow characters that would otherwise be construed as control characters in a URL (= & and so on) to be used as part of parameter names and values of URLs. It is used when creating URLs.

HTML encoding is used to allow control characters that would otherwise be construed as HTML markup (angle brackets, quotes) to be used in template text within a web page.

These are distinct types of encoding, used in different circumstances, and with very different rules (the %22 vs. " difference you mentioned)

HTML encoding is especially important with regards to protecting your pages when displaying untrusted text. Let's say for example that a user enters his name as:
<script>alert('Hi there!');</script>

rather than "Bob".

If you just take that text and plunk into your page, it will be interpreted by the browser as a script tag and the alert will be displayed. HTML encoding all untrusted output prevents these sorts of shenanigans.
[ May 17, 2008: Message edited by: Bear Bibeault ]
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
P.S. This encoding is automatically handled for you by use of the JSTL's <cut> tag when emitting untrusted dynamic text to a web page.
[ May 17, 2008: Message edited by: Bear Bibeault ]
 
mark I thomas
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Bear. Basically the links I gave you are examples showing how some people handle the XSS from server side -- The filter scans the URL and get the parameter values. Then it either filters (skips) those malicious char (", <, >, etc) or replaces these char. Sorry I was confused by the URL encoding and html encoding... So in this case, the filter should convert such char using html encoding, correct ?

Thank you.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66203
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I really don't understand the utility of doing this in a filter at all. What's the point?

It's only upon the display of untrusted strings that any encoding needs to take place.
 
P Lavti
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am also looking for solution for the same problem, making the application XSS safe.

one way as suggested by you is to use of cut tags.

But my problem is application is already deployed at customer site and now if try to use this tag at all the places, it involes a huge and time taking work.

Is there any other way to achieve it which will do the encoding for e.g. every request to the server is going thru a filter to encode the HTML special chars.

Thanks!
[ July 08, 2008: Message edited by: P Lavti ]
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!