preventing XSS in a spring mvc application

Rohit Bajaj
Rohit Bajaj used Ask the Experts™
on
HI,
I have a spring mvc application. In the initial page i load the following jsp :
	<!DOCTYPE html>
	<html>
	  <head>
		<title>Create Snippet</title>

    <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1">

    <script src="resources/lib/jquery/dist/jquery.js"></script>
    <script src="resources/lib/codemirror/lib/codemirror.js" type="text/javascript" charset="utf-8"></script>
    <script src="resources/lib/codemirror/addon/selection/active-line.js" type="text/javascript" charset="utf-8"></script>
    <script src="resources/lib/codemirror/mode/loadmode.js"></script>
    <script src="resources/lib/codemirror/mode/meta.js"></script>
    <script src="resources/lib/codemirror/mode/python/python.js" type="text/javascript" charset="utf-8"></script>
    
    <link rel="stylesheet" href="resources/lib/codemirror/lib/codemirror.css" />
    <link rel="stylesheet" href="resources/css/new.css"/>
  </head>

  <body>
    <div id="container">
      <div class="dialogWidget">
        <div class="dijitDialogTitleBar">
          <div class="dijitDialogTitle">Create Snippet</div>
        </div>
        <div class="dijitDialogPaneContent">
          <input id="name" type="text" class="title" placeholder="Title (optional)" />
          <div class="form-group">
            <select id="mode" class="form-control">
              <option value="" disabled selected style='display:none;'>Code Type</option>
              <option id="text/apl" > APL</option>
              <option id="application/pgp" > PGP</option>
              <option id="text/x-ttcn-asn" > ASN.1</option>
              <option id="text/x-asterisk" > Asterisk</option>
              <option id="text/x-csrc" > C</option>
              <option id="text/x-c++src" > C++</option>
              <option id="text/x-cobol" > Cobol</option>
              <option id="text/x-csharp" > C#</option>
              <option id="text/x-clojure" > Clojure</option>
              <option id="text/x-cmake" > CMake</option>
              <option id="text/x-coffeescript" > CoffeeScript</option>
              <option id="text/x-common-lisp" > Common Lisp</option>
              <option id="application/x-cypher-query" > Cypher</option>
              <option id="text/x-cython" > Cython</option>
              <option id="text/css" > CSS</option>
              <option id="text/x-cassandra" > CQL</option>
              <option id="text/x-d" > D</option>
              <option id="application/dart" > Dart</option>
              <option id="text/x-diff" > diff</option>
              <option id="text/x-django" > Django</option>
              <option id="text/x-dockerfile" > Dockerfile</option>
              <option id="application/xml-dtd" > DTD</option>
              <option id="text/x-dylan" > Dylan</option>
              <option id="text/x-ebnf" > EBNF</option>
              <option id="text/x-ecl" > ECL</option>
              <option id="text/x-eiffel" > Eiffel</option>
              <option id="application/x-ejs" > Embedded Javascript</option>
              <option id="application/x-erb" > Embedded Ruby</option>
              <option id="text/x-erlang" > Erlang</option>
              <option id="text/x-forth" > Forth</option>
              <option id="text/x-fortran" > Fortran</option>
              <option id="text/x-fsharp" > F#</option>
              <option id="text/x-gas" > Gas</option>
              <option id="text/x-feature" > Gherkin</option>
              <option id="text/x-gfm" > GitHub Flavored Markdown</option>
              <option id="text/x-go" > Go</option>
              <option id="text/x-groovy" > Groovy</option>
              <option id="text/x-haml" > HAML</option>
              <option id="text/x-haskell" > Haskell</option>
              <option id="text/x-haxe" > Haxe</option>
              <option id="text/x-hxml" > HXML</option>
              <option id="application/x-aspx" > ASP.NET</option>
              <option id="text/html" > HTML</option>
              <option id="message/http" > HTTP</option>
              <option id="text/x-idl" > IDL</option>
              <option id="text/x-jade" > Jade</option>
              <option id="text/x-java" > Java</option>
              <option id="application/x-jsp" > Java Server Pages</option>
              <option id="text/javascript" > JavaScript</option>
              <option id="application/json" > JSON</option>
              <option id="application/ld+json" > JSON-LD</option>
              <option id="text/x-julia" > Julia</option>
              <option id="text/x-kotlin" > Kotlin</option>
              <option id="text/x-less" > LESS</option>
              <option id="text/x-livescript" > LiveScript</option>
              <option id="text/x-lua" > Lua</option>
              <option id="text/x-markdown" > Markdown</option>
              <option id="text/mirc" > mIRC</option>
              <option id="text/x-mariadb" > MariaDB SQL</option>
              <option id="text/x-mathematica" > Mathematica</option>
              <option id="text/x-modelica" > Modelica</option>
              <option id="text/x-mumps" > MUMPS</option>
              <option id="text/x-mssql" > MS SQL</option>
              <option id="text/x-mysql" > MySQL</option>
              <option id="text/x-nginx-conf" > Nginx</option>
              <option id="text/n-triples" > NTriples</option>
              <option id="text/x-objectivec" > Objective C</option>
              <option id="text/x-ocaml" > OCaml</option>
              <option id="text/x-octave" > Octave</option>
              <option id="text/x-pascal" > Pascal</option>
              <option id="text/x-perl" > Perl</option>
              <option id="application/x-httpd-php" > PHP</option>
              <option id="text/x-pig" > Pig</option>
              <option id="text/plain" > Plain Text</option>
              <option id="text/x-plsql" > PLSQL</option>
              <option id="text/x-properties" > Properties files</option>
              <option id="text/x-python" > Python</option>
              <option id="text/x-puppet" > Puppet</option>
              <option id="text/x-q" > Q</option>
              <option id="text/x-rsrc" > R</option>
              <option id="text/x-rst" > reStructuredText</option>
              <option id="text/x-rpm-changes" > RPM Changes</option>
              <option id="text/x-rpm-spec" > RPM Spec</option>
              <option id="text/x-ruby" > Ruby</option>
              <option id="text/x-rustsrc" > Rust</option>
              <option id="text/x-sass" > Sass</option>
              <option id="text/x-scala" > Scala</option>
              <option id="text/x-scheme" > Scheme</option>
              <option id="text/x-scss" > SCSS</option>
              <option id="text/x-sh" > Shell</option>
              <option id="application/sieve" > Sieve</option>
              <option id="text/x-slim" > Slim</option>
              <option id="text/x-stsrc" > Smalltalk</option>
              <option id="text/x-smarty" > Smarty</option>
              <option id="text/x-solr" > Solr</option>
              <option id="text/x-soy" > Soy</option>
              <option id="application/sparql-query" > SPARQL</option>
              <option id="text/x-spreadsheet" > Spreadsheet</option>
              <option id="text/x-sql" > SQL</option>
              <option id="text/x-mariadb" > MariaDB</option>
              <option id="text/x-stex" > sTeX</option>
              <option id="text/x-latex" > LaTeX</option>
              <option id="text/x-systemverilog" > SystemVerilog</option>
              <option id="text/x-tcl" > Tcl</option>
              <option id="text/x-textile" > Textile</option>
              <option id="text/x-tiddlywiki" > TiddlyWiki </option>
              <option id="text/tiki" > Tiki wiki</option>
              <option id="text/x-toml" > TOML</option>
              <option id="text/x-tornado" > Tornado</option>
              <option id="troff" > troff</option>
              <option id="text/x-ttcn" > TTCN</option>
              <option id="text/x-ttcn-cfg" > TTCN_CFG</option>
              <option id="text/turtle" > Turtle</option>
              <option id="application/typescript" > TypeScript</option>
              <option id="text/x-twig" > Twig</option>
              <option id="text/x-vb" > VB.NET</option>
              <option id="text/vbscript" > VBScript</option>
              <option id="text/velocity" > Velocity</option>
              <option id="text/x-verilog" > Verilog</option>
              <option id="application/xml" > XML</option>
              <option id="application/xquery" > XQuery</option>
              <option id="text/x-yaml" > YAML</option>
              <option id="text/x-z80" > Z80</option>
            </select>
            
          </div>

			  <div id="editor-pane">
				<div id="editor"></div>
			  </div>
			  <div class="message_area">
					<textarea id="message" type="text" placeholder="Add Comment (Optional)" ></textarea>
			  </div>
			  <div class="buttons">
				  <button id="submit" class="btn_green">Create & Post</button>
				  <button class="dailogueCancel" id="cancel">Cancel</button>
			  </div>
			</div>
		  </div>
		</div>
		<div class="invisible" data-create-url="${createURL}"></div>

    <script src="resources/js/flockback.js" type="text/javascript"></script>
    <script src="resources/js/detect.js" type="text/javascript"></script>
    <script src="resources/js/new.js" type="text/javascript"></script>

  </body>
</html>

Open in new window


This is bascially an editor in which i can type a title and text
If it type <script>alert(10)</script> in the title field the script gets executed.
I want to avoid this.
I tried adding the following to the web.xml :
<context-param>
        <param-name>defaultHtmlEscape</param-name>
        <param-value>true</param-value>
    </context-param>

Open in new window


But it didnt work. Probably because this only works with forms.

Please guide Is there any way which spring provides so that i dont need to handle this manually ?
Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Commented:
Typing that javascript into the editor wont make its way to the server though right?
So having that defaultHtmlEscape context param will make no difference.

I'm not heavily clued up on XSS but isn't the point of it to prevent the server being hit with illegal characters? i.e you have to do a form post to get that to happen.

Author

Commented:
hi
yes just typing the script does not get executed. only when i press a button which post the data to the server.

Author

Commented:
currently i am not using forms but an ajax call which posts the entered data to the server
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2015

Commented:
Ok, so the data is definitely hitting the server? i.e. can you see  <script>alert(10)</script> being passed to your mvc controller?

Author

Commented:
yes its getting passes to the controller
Top Expert 2015

Commented:
Seems the documentation only refers to it being used in forms.
What happens if you wrap your input field in a form?

Author

Commented:
wrapping input field in form tag does not work. I tried the following :

<form:form>
          <input id="name" type="text" class="title" placeholder="Title (optional)" />
          </form:form>

Open in new window

But still the javascript got executed.

Author

Commented:
It looks like because the post request is not going through the form but through ajax call.. so just wrapping into form is not working
Top Expert 2015
Commented:
Maybe you could use a servlet filter. You can then manipulate the request before giving it to your controller.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial