Preven cross site scripting in java

HI,

I have jsp pages that takes users inputs and processes them in the servlet handler class. I would like to test the user input for presence of any malicious  cross-site scripting, for example: in my input box, if the user enters <script>alert("bad code")</script>, this should be catched in my servlet and I need to remove the script part from any request objects parameter values i.e. anything between <script>..</script> or at least escape the "<" and ">" characters, AND finally I need to reset the request object with this modified value for further processing.

Any input for this issue is welcome. Also if some one can provide a sample code with a regular expression to filter the <script> part or "<" and ">" part and reset it on to the request object inside a java (servlet) would be really helpful.

Thanks!
javagiripAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
javagiripAuthor Commented:
Thanks!. Yes I have seen that artcile before. It is generally useful for gainign knowledge about the cross-site scripting.

At this point I am really looking for a sample application that does filter(using regular expression) for  <script> part or "<" and ">" part and reset it on to the request object inside a java (servlet).
0
TimYatesCommented:
Can't you just do:

String filtered = inputString.replaceAll( "<", "&lt;" ).replaceAll( ">", "&gt;" ) ;
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

javagiripAuthor Commented:
Yes that will work, but for this I need to use this logic where ever I use the HttpServletRequest.getParameter(), and in my application I am using the HttpServletRequest.getParameter with in many methods. So I would really like to check for these special characters in my first step before passing the HttpServletRequest object to other methods that uses the request.getParameter().

Here is my idea: my first method gets all the request parameter values from HttpServletRequest object and check for any special character and replace these characters and reset the parameter values into the HttpServletRequest object. I can do most of this but just couldn't get work the resetting the parameter value into HttpServletRequest object. Any help would be appreciated.
0
TimYatesCommented:
I believe HttpServletRequest is a read only object...

Well, you can set Attributes on it, but not alter the header, or parameters...
0
MogalManicCommented:
Create a facade that wraps the HttpServletRequest that does the necessary conversion:

class CSSSafeHttpServletRequest implements HttpServletRequest
{
     HttpServletRequest source;
      public CSSSafeHttpServletRequest(HttpServletRequest request)
      {
            this.source=HttpServletRequest;
      }


      public String getParameter(String name)
      {
           return this.source.getParameter(name).replaceAll( "<", "&lt;" ).replaceAll( ">", "&gt;" );
      }

     public Map getParameterMap()
     {
          Map paramMap=new HashMap(this.source.getParameterMap());
          for(Iterator it=paramMap.entrySet();it.hasNext();) {
             Map.Entry each=(Map.Entry) it.next();
             String[] value=(String[]) each.getValue();
             for(int i=0;i<value.length;i++)
                 value[i]=value[i].replaceAll( "<", "&lt;" ).replaceAll( ">", "&gt;" );
             paramMap.put(each.getKey(), value);
        }
     }
     
      //The rest are just passthroughs to source
     public Object getAttribute(String name)
     {
         return this.source.getAttribute(name);
      }
...
}
0
TimYatesCommented:
That's a really good idea :-)

of course, that still relies on people using the facade in their code...
0
MogalManicCommented:
You can pretty much force them to do it like this:


public void doPost(HttpServletRequest request, httpServletResponse response)
{
    doGet(request, response);
}

public void doGet(HttpServletRequest request, httpServletResponse response)
{
    request=new CSSSafeHttpServletRequest(request);
...REST OF SERVLET CODE...
}


this way the request get replaced in the doGet() method and you cannot use the old request!
0
TimYatesCommented:
true...

(so long as they inclued that line in their servlet) ;-)

You could also do:

public class CSSSafeServlet extends HttpServlet
{
    protected void service( HttpServletRequest req, HttpServletResponse resp )
    {
        req = new CSSSafeHttpServletRequest( req ) ;
        super.service( req, resp ) ;
    }
}

And force people to extend CSSSafeServlet instead of HttpServlet :-)

(I think -- heh, I haven't tested this) ;-)

Tim
0
TimYatesCommented:
I reckon split between me and MogalManic...
0
javagiripAuthor Commented:
I accept spliting points to MogalManic and TimYates.  I don't know how to do that.

Thanks!.
0
TimYatesCommented:
there is a "Split points" link just above the comment box (and just below this post) :-)

Tim
0
javagiripAuthor Commented:
DONE, Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java EE

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.