Java Library to fix XSS (Cross-site Scripting) for rich data
I have a web application written in Java and JSP. I am using Apache JServ server and not using any web frame works like Struts or Spring MVC.
I would like to fix the XSS issue reported by IBM AppScan. We allows the users to enter rich data (HTML).
Can anyone suggest the best way to fix this vulnerability?
Please suggest any libraries availble for this.
Thanks
I would like to fix the XSS issue reported by IBM AppScan. We allows the users to enter rich data (HTML).
Can anyone suggest the best way to fix this vulnerability?
Please suggest any libraries availble for this.
Thanks
call a javascript on all entry points where data is added and replace special characters like >< ' " with their html codes
ASKER
As I mentioned in my question, we allows the user to enter HTML tags such as <b>, <br> etc and we shows the same user entered text in another read-only page. In that read-only page we would like apply the tags and show the text as bold or with line breaks. So replacing these characters with the html codes will start displaying the html codes in the read-only page.
Your thoughts?
Your thoughts?
Well Can other users see these pages.
Like a forum if one has posted a commentt all else can see it. In this case it should not enter html tags.
In that case provide them with your own custom tags like [bold] [/bold]. And replace them with orginal tags at the time of saving. Only support a few tags that need presentation.
Like a forum if one has posted a commentt all else can see it. In this case it should not enter html tags.
In that case provide them with your own custom tags like [bold] [/bold]. And replace them with orginal tags at the time of saving. Only support a few tags that need presentation.
ASKER
Yes. One person will be posting and others will view it in read-only format. There are many persons who has authority to post the HTML text and they are doing it for years now. Asking them to post it using custom tags will be difficult since they have to learn our custom tags, but in case of HTML tags we dont have to teach them our custom tags. There are many posting already with HTML content and stored in our DB.
Your thoughts?
Your thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it is how it will look like
editor.jpg
editor.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.