• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

HTML escaping for XSS prevention

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have been working on a project for which I need to do the HTML escaping/encoding to prevent XSS. My project has 2 modules. One is in Spring and the other in Struts. For Spring module I can easily achive this without modifying JSPs by setting the 'defaultHtmlEscape' to true in Web.xml context parameter.
However, for Struts module is there a similar way where I can configure html encoding is required or not.

Currently, for Struts module I am planning to use "StringEscapeUtils.escapeHtml" of apache for Struts module fields.

Also, I saw in some projects that the html encoding is done for even "<font colour" values. Please let me know which are all the fileds I need to encode.

Thanks,
Nagesh
 
Sheriff
Posts: 67265
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please be sure to ask Struts questions in the Struts forum. I have moved this post there for you.
 
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Nagesh Hebbar wrote:Also, I saw in some projects that the html encoding is done for even "<font colour" values. Please let me know which are all the fileds I need to encode.


Wouldn't it make more sense to ask about specific tags, attributes, etc. in the HTML forum?

In any case, I usually just make an S2 interceptor that does tag stripping, and I usually just use esapeHtml, but it depends on what I actually need to do.

*Which* tags is a completely separate issue, and more complex than you think, since you might also need to scrub even handler attributes and so on.
 
Nagesh Hebbar
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi David,

Regarding your first question, I did post this question in HTML forum. But, later this post was moved here.

As far as using "S2 interceptor that does tag stripping", I believe this is done at the server side. If that is the case, then it will not resolve my problem because, whenever user enters some malicious input, it will executed at the browser side before coming to the server side.

So, what I need is to encode the html special chars like "<&>" to "<,&, >" while we output to the browser. I know that for Spring framework, we can easily configure this in Web.xml. So, I was wondering whether there is something similar in Struts framework as well.

Please do let me know your comments.

Thanks,
Nagesh
 
David Newton
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Nagesh Hebbar wrote:whenever user enters some malicious input, it will executed at the browser side before coming to the server side.


How? You input it then write it to the DOM?
 
Nagesh Hebbar
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi David,

I'll give you an example:

Suppose there is a input text box calle "name" with 100 characters length, then imagine if user enters

" /> <script>alert('XSS Testing");</script>

If the user(or attacker) submits, the alert message will be displayed on the browser. Because of this we need to do HTML output encoding so that, user input will not be executed as script.

<C:out> tag already does encoding.
 
David Newton
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you see that your post didn't work?

In any case, no, you're just submitting text--why would anything be executed?
 
Nagesh Hebbar
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is the link explaining the Cross site scripting attack:

http://today.java.net/article/2005/09/19/handling-java-web-application-input-part-2

Please go through the link whenever you get a chance. That article clearly explaing why HTML output encoding is required.
 
David Newton
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Nagesh Hebbar wrote:If the user(or attacker) submits, the alert message will be displayed on the browser.


That's what you said. But that is not true: XSS is on display, not on submit. I replied to what you actually said.

If you're already using c:out to escape, then what's your actual question?
 
Nagesh Hebbar
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That is the best example I could come up with. And for that reason only I need to do HTML encoding for the fields.

P.S. I am not using <c:out>. I just gave you an example that if we use <c:out> the value will be html encoded.
My problem is I have an existing application which is not using <c:out> for display and it is in Struts framework. now, for encoding all the fields, I need to do it in all JSPs. Thats the reason I asked whether there is some configuration in Struts framework to enable HTML encoding similar to Spring Framework
.

Anyway, Thanks a lot for your replies.

Thanks,
Nagesh
 
David Newton
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But it's not an example of what you're talking about; you're talking about XSS but had said it would be executed on submit, which isn't the case.

In any case, no, there's no global setting for that in Struts (which makes sense to me, since I might not *want* to always escape/not-escape values). The <s:property> tag has an escape attribute; if you're just using JSP EL you'll have to escape it on input, or before it gets to the view (which could also be done via an interceptor).
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!