This week's book giveaway is in the Cloud/Virtualization forum.
We're giving away four copies of Building Blockchain Apps and have Michael Yuan on-line!
See this thread for details.
Win a copy of Building Blockchain Apps this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Liutauras Vilda
  • Knute Snortum
  • Bear Bibeault
Sheriffs:
  • Devaka Cooray
  • Jeanne Boyarsky
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • salvin francis
Bartenders:
  • Tim Holloway
  • Piet Souris
  • Frits Walraven

Fixing cross-site scripting (XSS) in search box

 
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need your assistant in fixing an issue in the search textbox in one of the jsp's. I was informed that cross site scripting can be done in the textbox and I kept the below code in my jsp to fix the issue:


Now, after applying the above code, the cross site scripting can be done and the problem is that the search can't be done using the textbox and all the time will display none results.

So, can you please assist me in writing the best code and thanks
 
Rancher
Posts: 43011
76
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We can't help with why your search no longer works, as you haven't posted any of the code related to that. But I do see a whole lot of string replacing that does not seem to make much sense; can you walk us through what you're trying to achieve by those?

If the aim is to display the search terms safely on a web page then the thing to do is to replace pointy brackets, basically what line 13 or 21 does (if you remove the superfluous spaces).

A rather different task is to remove everything from the search term that might confuse the search engine. Now we can't advise on how to go about that because you haven't told us anything about how that works.
 
Marshal
Posts: 67366
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you using PreparedStatement for your JDBC?
 
Ranch Hand
Posts: 59
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is a lot of misinformation of cross site scripting out there. Be careful of the sources you use. The first place I would check is:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

For cross site scripting, you should be escaping untrusted data when outputting it on a page. The tag libraries for web frameworks should have a way of doing this for you.

A blacklist approach like you're using is not recommended. It always leaves many holes in the filtering. For example, you're escaping "eval()" but not "eval ()". See https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for how these filters can be bypassed.

Luckily, this is a solved problem. If you need escaping, use premade, fully tested libraries like:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

Replacing input parameters has a few problems. One is that you are removing or corrupting valid user input as well as malicious input. What if the user wants to search for "script"? Another is that it doesn't take output context into account. Data that is safe for attribute values might not be safe for css styles, or javascript contents. This is why these encoder libraries focus on escaping output rather than input, and they have multiple escape methods depending on context.
 
Bear Bibeault
Marshal
Posts: 67366
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm wondering if it's really SQL Injection that he needs to worry about (though XSS is also a concern).
 
Hold that thought. Tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!