Forums Register Login

Fixing cross-site scripting (XSS) in search box

+Pie Number of slices to send: Send
I need your assistant in fixing an issue in the search textbox in one of the jsp's. I was informed that cross site scripting can be done in the textbox and I kept the below code in my jsp to fix the issue:


Now, after applying the above code, the cross site scripting can be done and the problem is that the search can't be done using the textbox and all the time will display none results.

So, can you please assist me in writing the best code and thanks
+Pie Number of slices to send: Send
We can't help with why your search no longer works, as you haven't posted any of the code related to that. But I do see a whole lot of string replacing that does not seem to make much sense; can you walk us through what you're trying to achieve by those?

If the aim is to display the search terms safely on a web page then the thing to do is to replace pointy brackets, basically what line 13 or 21 does (if you remove the superfluous spaces).

A rather different task is to remove everything from the search term that might confuse the search engine. Now we can't advise on how to go about that because you haven't told us anything about how that works.
+Pie Number of slices to send: Send
Are you using PreparedStatement for your JDBC?
+Pie Number of slices to send: Send
There is a lot of misinformation of cross site scripting out there. Be careful of the sources you use. The first place I would check is:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

For cross site scripting, you should be escaping untrusted data when outputting it on a page. The tag libraries for web frameworks should have a way of doing this for you.

A blacklist approach like you're using is not recommended. It always leaves many holes in the filtering. For example, you're escaping "eval()" but not "eval ()". See https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet for how these filters can be bypassed.

Luckily, this is a solved problem. If you need escaping, use premade, fully tested libraries like:
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

Replacing input parameters has a few problems. One is that you are removing or corrupting valid user input as well as malicious input. What if the user wants to search for "script"? Another is that it doesn't take output context into account. Data that is safe for attribute values might not be safe for css styles, or javascript contents. This is why these encoder libraries focus on escaping output rather than input, and they have multiple escape methods depending on context.
+Pie Number of slices to send: Send
I'm wondering if it's really SQL Injection that he needs to worry about (though XSS is also a concern).
Proudly marching to the beat of a different kettle of fish... while reading this tiny ad
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com


reply
reply
This thread has been viewed 695 times.
Similar Threads
<a4j:outputPanel> data cached?
Null pointer Exception thrown in JadeGatewayServlet
Rich Text Area using TinyMCE in Spring MVC application
How to create a slide menu in all browsers
GWT servlet works fine in Eclipse, fails to be reached in tomcat and virgo tomcat
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 28, 2024 06:04:13.