• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

xss prevention in email compose and view pages

 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi guys,

I don't know if this has been posted before. I searched but could not find anything relevant.

I was modifying my web application to prevent xss attacks. I went through the OWASP specification (http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) , which suggests performing html encoding, etc for user input.

I have incorporated that. But now i have to do xss prevention on my email compose and view pages. Here i need some html formatting like bold, italics, etc(so i don't want that html content to be encoded). Any suggestions how i should go about it ? how does yahoomail, gmail,etc do it? Also avoid the problem of double encoding when using email clients like Outlook

Anyone who has written a sample email client which also avoids the problem of xss ? Any sample programs would be great...

Thanks a lot...
abhishek
 
Rob Spoor
Sheriff
Pie
Posts: 20611
63
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'll move this to our HTML and JavaScript forum.
 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
anyone...? any ideas ??
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Only allow the tags you want and encode the rest. Make sure the tags do not include anything bad.

Most email clients will clean it up also, unless you wrote an email client too. lol

Eric
 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi eric.

Thanks for the reply.

I got what you are saying. But see i don't have a rich text editor. If i allow a bold tag <b> it has to be typed as follows :

<b>some text</b>

But if send such a mail to say gmail. It will not make the text bold. It will simply display <b>some text</b>.

2nd thing that i want to know is if i encode the tags when i receive the mail. And if i use it with an email client. Will the client try to encode it again resulting in double encoding problem ??

Thanks alot guys...
 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok sorry ppl...

Got the prob...

Was not very clear with the concepts...

Thanks again
 
abhishek kaul
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi eric...

I tried using owasp ESAPI project. It works fine. But it cleans the malicious content, like script tags etc.

What i want is to allow some tags in my view email page such as <b> but encode script tag as <script>

Composed mail will look like this :

<b>someText</b>
<script>alert('xss')</script>

Viewing the mail will look like this :

someText
<script>alert('xss')</script>

Are there any standard java tools/jars available which will do this ? because most of the things i saw encode everything or strip of script tags,etc.

Or should i try writing the entire thing from scratch ??


Thanks again...

Abhishek...
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic