• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 272
  • Last Modified:

Preven cross site scripting in java

HI,

I have jsp pages that takes users inputs and processes them in the servlet handler class. I would like to test the user input for presence of any malicious  cross-site scripting, for example: in my input box, if the user enters <script>alert("bad code")</script>, this should be catched in my servlet and I need to remove the script part from any request objects parameter values i.e. anything between <script>..</script> or at least escape the "<" and ">" characters, AND finally I need to reset the request object with this modified value for further processing.

Any input for this issue is welcome. Also if some one can provide a sample code with a regular expression to filter the <script> part or "<" and ">" part and reset it on to the request object inside a java (servlet) would be really helpful.

Thanks!
0
javagirip
Asked:
javagirip
  • 7
  • 4
  • 2
2 Solutions
 
javagiripAuthor Commented:
Thanks!. Yes I have seen that artcile before. It is generally useful for gainign knowledge about the cross-site scripting.

At this point I am really looking for a sample application that does filter(using regular expression) for  <script> part or "<" and ">" part and reset it on to the request object inside a java (servlet).
0
 
TimYatesCommented:
Can't you just do:

String filtered = inputString.replaceAll( "<", "&lt;" ).replaceAll( ">", "&gt;" ) ;
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
javagiripAuthor Commented:
Yes that will work, but for this I need to use this logic where ever I use the HttpServletRequest.getParameter(), and in my application I am using the HttpServletRequest.getParameter with in many methods. So I would really like to check for these special characters in my first step before passing the HttpServletRequest object to other methods that uses the request.getParameter().

Here is my idea: my first method gets all the request parameter values from HttpServletRequest object and check for any special character and replace these characters and reset the parameter values into the HttpServletRequest object. I can do most of this but just couldn't get work the resetting the parameter value into HttpServletRequest object. Any help would be appreciated.
0
 
TimYatesCommented:
I believe HttpServletRequest is a read only object...

Well, you can set Attributes on it, but not alter the header, or parameters...
0
 
MogalManicCommented:
Create a facade that wraps the HttpServletRequest that does the necessary conversion:

class CSSSafeHttpServletRequest implements HttpServletRequest
{
     HttpServletRequest source;
      public CSSSafeHttpServletRequest(HttpServletRequest request)
      {
            this.source=HttpServletRequest;
      }


      public String getParameter(String name)
      {
           return this.source.getParameter(name).replaceAll( "<", "&lt;" ).replaceAll( ">", "&gt;" );
      }

     public Map getParameterMap()
     {
          Map paramMap=new HashMap(this.source.getParameterMap());
          for(Iterator it=paramMap.entrySet();it.hasNext();) {
             Map.Entry each=(Map.Entry) it.next();
             String[] value=(String[]) each.getValue();
             for(int i=0;i<value.length;i++)
                 value[i]=value[i].replaceAll( "<", "&lt;" ).replaceAll( ">", "&gt;" );
             paramMap.put(each.getKey(), value);
        }
     }
     
      //The rest are just passthroughs to source
     public Object getAttribute(String name)
     {
         return this.source.getAttribute(name);
      }
...
}
0
 
TimYatesCommented:
That's a really good idea :-)

of course, that still relies on people using the facade in their code...
0
 
MogalManicCommented:
You can pretty much force them to do it like this:


public void doPost(HttpServletRequest request, httpServletResponse response)
{
    doGet(request, response);
}

public void doGet(HttpServletRequest request, httpServletResponse response)
{
    request=new CSSSafeHttpServletRequest(request);
...REST OF SERVLET CODE...
}


this way the request get replaced in the doGet() method and you cannot use the old request!
0
 
TimYatesCommented:
true...

(so long as they inclued that line in their servlet) ;-)

You could also do:

public class CSSSafeServlet extends HttpServlet
{
    protected void service( HttpServletRequest req, HttpServletResponse resp )
    {
        req = new CSSSafeHttpServletRequest( req ) ;
        super.service( req, resp ) ;
    }
}

And force people to extend CSSSafeServlet instead of HttpServlet :-)

(I think -- heh, I haven't tested this) ;-)

Tim
0
 
TimYatesCommented:
I reckon split between me and MogalManic...
0
 
javagiripAuthor Commented:
I accept spliting points to MogalManic and TimYates.  I don't know how to do that.

Thanks!.
0
 
TimYatesCommented:
there is a "Split points" link just above the comment box (and just below this post) :-)

Tim
0
 
javagiripAuthor Commented:
DONE, Thanks!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now