• Post Reply Bookmark Topic Watch Topic
  • New Topic

Fixing cross-site scripting (XSS) in search box  RSS feed

 
Mahmood Ali
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I need your assistant in fixing an issue in the search textbox in one of the jsp's. I was informed that cross site scripting can be done in the textbox and I kept the below code in my jsp to fix the issue:


Now, after applying the above code, the cross site scripting can be done and the problem is that the search can't be done using the textbox and all the time will display none results.

So, can you please assist me in writing the best code and thanks
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We can't help with why your search no longer works, as you haven't posted any of the code related to that. But I do see a whole lot of string replacing that does not seem to make much sense; can you walk us through what you're trying to achieve by those?

If the aim is to display the search terms safely on a web page then the thing to do is to replace pointy brackets, basically what line 13 or 21 does (if you remove the superfluous spaces).

A rather different task is to remove everything from the search term that might confuse the search engine. Now we can't advise on how to go about that because you haven't told us anything about how that works.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66306
152
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you using PreparedStatement for your JDBC?
 
Sresh Rangi
Ranch Hand
Posts: 54
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is a lot of misinformation of cross site scripting out there. Be careful of the sources you use. The first place I would check is:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

For cross site scripting, you should be escaping untrusted data when outputting it on a page. The tag libraries for web frameworks should have a way of doing this for you.

A blacklist approach like you're using is not recommended. It always leaves many holes in the filtering. For example, you're escaping "eval()" but not "eval ()". See https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for how these filters can be bypassed.

Luckily, this is a solved problem. If you need escaping, use premade, fully tested libraries like:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

Replacing input parameters has a few problems. One is that you are removing or corrupting valid user input as well as malicious input. What if the user wants to search for "script"? Another is that it doesn't take output context into account. Data that is safe for attribute values might not be safe for css styles, or javascript contents. This is why these encoder libraries focus on escaping output rather than input, and they have multiple escape methods depending on context.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66306
152
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm wondering if it's really SQL Injection that he needs to worry about (though XSS is also a concern).
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!