Solved

Java Library to fix XSS (Cross-site Scripting) for rich data

Posted on 2009-06-29
9
927 Views
Last Modified: 2013-11-19
I have a web application written in Java and JSP. I am using Apache JServ server and not using any web frame works like Struts or Spring MVC.

I would like to fix the XSS issue reported by IBM AppScan. We allows the users to enter rich data (HTML).

Can anyone suggest the best way to fix this vulnerability?
Please suggest any libraries availble for this.

Thanks
0
Comment
Question by:Gibu George
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
9 Comments
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24734334
call a javascript on all entry points where data is added and replace special characters like >< ' " with their html codes
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24734341
0
 
LVL 12

Author Comment

by:Gibu George
ID: 24734557
As I mentioned in my question, we allows the user to enter HTML tags such as <b>, <br> etc and we shows the same user entered text in another read-only page. In that read-only page we would like apply the tags and show the text as bold or with line breaks. So replacing these characters with the html codes will start displaying the html codes in the read-only page.

Your thoughts?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 2

Expert Comment

by:mhaq_java
ID: 24734597
Well Can other users see these pages.
Like a forum if one has posted a commentt all else can see it. In this case it should not enter html tags.
In that case provide them with your own custom tags like [bold] [/bold]. And replace them with orginal tags at the time of saving. Only support a few tags that need presentation.
0
 
LVL 12

Author Comment

by:Gibu George
ID: 24734687
Yes. One person will be posting and others will view it in read-only format. There are many persons who has authority to post the HTML text and they are doing it for years now. Asking them to post it using custom tags will be difficult since they have to learn our custom tags, but in case of HTML tags we dont have to teach them our custom tags. There are many posting already with HTML content and stored in our DB.

Your thoughts?
0
 
LVL 2

Accepted Solution

by:
mhaq_java earned 250 total points
ID: 24734754
There is no problem with already entered data. if will remain same.
1) But you can provide icons of Bold italic & underline etc. When user click on it you place custom tag on the current location of the cursor.
it will reduce the learning time of users.


2)There is an open source component FCKEditor use that editor. It is a rich text box and will help you with formatting. It also looks like MS word. So no need for users learning. And then replace html tags with html code
0
 
LVL 2

Expert Comment

by:mhaq_java
ID: 24734806
it is how it will look like
editor.jpg
0
 
LVL 12

Assisted Solution

by:jahboite
jahboite earned 250 total points
ID: 24734958
I suggest having a look at OWASPs Enterprise Security API:
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question