JSTL c:out in Anchor tag

Hi,


How to use the JSLT c:out tag value inside the ANCHOR tab (a href)? i have the below a href,


<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=${userId}">Customer Data</a></p>

Here instead of using the JSP expression i need to use <c:out> to prevent XSS attacks , please let me know the below is fine ?

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}' ">Customer Data</a></p>

If not what is the best way to prevent the XSS attacks from here in the above a href tag. Please clarify.

Thanks

I din't see any problems with it. Did it work when you tried it?

Where is the XSS vulnerability in your example?  Is the value of ${userId} untrustworthy and needs to be sanitized/escaped before being sent to the client/browser?

Aren't those effectively the same thing?
You're just setting the value to whatever userId is.
As Ron says, that's not going to have any effect on XSS, if userId is unsafe.

Hi Team,

It is being reported by the security team the below URL where we are passing the userId is susceptible to XSS attacks, so they were asking to escape or HTML encode it .

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=${userId}">Customer Data</a></p>

I read that using c:out or fn:escapeXml we can make sure the value passed is safe and not susceptible to XSS security attacks.

To answer the below query,

Is the value of ${userId} untrustworthy and needs to be sanitized/escaped before being sent to the client/browser?

Yes, for this value only i am thinking of using <c:out value> -

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}' ">Customer Data</a></p>  

Please let me know this is the right way to sanitized/escaped before send to browser?

Thanks in advance.

I think you've got it backwards. You're talking about information you have (the userId) that you're putting into the URL that is contained in the response.

Sanitizing to prevent XSS is about sanitizing input, not so much the output, which is what you're thinking of doing with <c:out userid> in the middle of the hard-coded URL.

For example, if you have userId = "rlaxmi" then that URL becomes this:
<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=rlaxmi">Customer Data</a>
There is no security benefit in escaping or encoding the output there if you have full control of what the value of that parameter is when you craft the URL. All you'd be doing is Security by obscurity which is nothing, essentially.

What you need to do is prevent malicious attackers from taking that URL (the attack surface) and replacing the value of the userId parameter to something that, if used raw and unsanitized, can be used to exploit a vulnerability in your code. It's the data that is coming in that you want to sanitize, not so much the values that you're displaying because at that point, it might already be too late.

Search for articles that explain the anatomy of a XSS attack to get a better understanding of exactly what it is you're trying to prevent. Make sure you understand what you're doing, don't just take whatever instructions you're given verbatim and blindly do things without understanding the underlying mechanisms and issues you're trying to address.

Thanks Lacar, could you please let me know what is the best way sanitize the input value before it is displayed/rendered in the browser as the <c:out? added here is not having any impact here and based on the testimng still we are seeing XSS popup from being displayed when we pass request value like below,

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}'/>">Customer Data</a>

Testing is done through this by passing the below value for user Id which is not preventing the XSS and displaying the alert message with 123, this is even after adding the <c:out> as above.

/xxx/test/customerData.jsp?userId=%22whscheck=%22whscheck%22onmouseover=%22alert(123)%22&userId=-4658372095924766409&login=success&_requestid=3980

I want to handle this through the JSTL tag at client side , please let me know is there any other option to handle XSS attacks by encoding the userId input value that is getting passed to the anchor tag?

Thanks in advance.

No, you want to handle this by sanitising your data as it comes into your application.

You have received a userId from the client, surely you can validate that before doing anymore processing?
That string of stuff should never get as far as the JSP page.

Thanks Dave, but how i can do the sanitizing the input data in JSP , already i am using the <c:out> as mentioned in the below link to prevent XSS attacks. I want to handle this from client side/JSP. I was going through the below URL , there it is mentioned to use the <c:out> for sanitization.

https://hdivsecurity.com/owasp-xss

Why <c:out> is not working here as mentioned in the above link, not getting how we can sanitise the input data (userId) here to prevent XSS attacks?

Other option is using =${fn:escapeXml(userId)}

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId==${fn:escapeXml(userId)}/>">Customer Data</a>

any other option we have to ensure the input is encoded and not susceptible to XSS attacks fro JSP. Please provide your expert opinion and let me know where i am going wrong.

Hi Team,

Any update on this issue is highly appreciated. Thanks in advance.

Rithanya Laxmi wrote:Thanks Dave, but how i can do the sanitizing the input data in JSP , already i am using the <c:out> as mentioned in the below link to prevent XSS attacks.

It seems like you didn't understand what Dave posted. He said you should sanitize the input when it comes in. You persist in asking how to sanitize it in a JSP, which is a tool to output data. So that's the wrong question to ask and you should stop asking it. Instead you should be working on sanitizing the input when you receive it.

Thanks Paul, in that case the input sanitization should be done at the server side in java code than in JSP? if that is the case why in the below links it is mentioned to use <c:out> and <fn:escapeXml> for HTML sanitization in JSP ?

https://hdivsecurity.com/owasp-xss
https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application

Somehow two threads seem to have converged on a duplicate discussion. Let's put all of the future discussion into the other one: https://coderanch.com/t/722265/java/XSS-attacks-anchor-tag

I'll close this one.