How to avoid HTML Injection and XSS on . JSP pages?

Asked

Viewed 1,019 times

10

In the PHP have seen uses of htmlspecialchars and mysqli. But in Java there is some way to avoid XSS and HTML Injection?

I would also like to know what would be the best way (the safest): Escaping the elements (HTML, Javascript) or by inserting a tag <pre> to view the data so that this does not affect the page?

  • 4

    Face, without thinking too much I already say that the tag <pre> does not solve without some other kind of more complex treatment together, in which case the hacker would start HTML injected with </pre> and end it with <pre>.

  • Yeap. I saw an implementation on Whatsapp Web in which it uses the tag <pre> together with <span>

  • 2

2 answers

1

JSP’s

The simplest way is to use the tag out of JSTL Core library. Example:

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<c:out value="${suaVariavel}" />

would be the same as:

<c:out value="${suaVariavel}" escapeXml="true" />

More detailed example on this reference link

A common mistake

Thinking JSTL is already inside WEB containers and forget to put JSTL in the project, which can be found here, or, be imported as a dependency on a Maven project:

<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>jstl</artifactId>
    <version>1.2</version>
</dependency>

Worth a look at ...

ESAPI - Extra security for WEB applications

A lib utility that implements various security mechanisms. Allows you to safely read cookies, request parameters, session and other.

0

Like Victor said, the <pre> doesn’t prevent this, maybe you’re thinking that this tag converts the content to entities, but maybe it’s just a mess.

I personally allow the exact recording of what was "written", but at the time of reading I use methods similar to the htmlspecialchars, thus avoids conflicts, as the texts have not changed in the recording.

If your concern is to read the data from a database and print on the screen, you can use at the time of reading the data from the line:

import org.apache.commons.lang.StringEscapeUtils;
...
String data = StringEscapeUtils.escapeHtml("<script>alert(1);</script>");

I don’t know how your code is, and which framework you use, but I believe the meaning is always this, "escape" the content at the time of displaying (correct me if I’m wrong).

Documentation: Stringescapeutils (Commons Lang 2.6 API)

  • Just being careful with people who craft things like <s&#xA;cript> (I don’t know if the editor lets, but there is a line-break between <s and cript>) and the browser can realize that === <script>. In Javascript there is a spectacular library called Dompurify maybe there is something for Java, too?

  • @Moshmage if you want to show how HTML even Dompurify looks good, but if you don’t want to show then convert HTML into entities I think it’s enough.

  • Since XSS is usually to run on the customers' machine, it injects itself in places that can be used html; Imagine a WYSIWYG that is unprotected? It will want to show as HTML and don’t feel like having some hidden scripts ;P

  • I think you misunderstood what I said @Moshmage, I will try to make the text clearer to you, IF NOT there is need to display the user generated HTML StringEscapeUtils.escapeHtml is enough, IF THERE IS the need to display user-created HTML so tools similar to Dompurify are good solutions. Got it? I didn’t criticize you, I just put the moment of need.

  • In good :) But I even mentioned dompurify because I really read the question wrong, I realized that it wanted to show html. my bad ^^

Browser other questions tagged

You are not signed in. Login or sign up in order to post.