The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.
preventing XSS in a spring mvc application
HI,
I have a spring mvc application. In the initial page i load the following jsp :
This is bascially an editor in which i can type a title and text
If it type <script>alert(10)</script>
I want to avoid this.
I tried adding the following to the web.xml :
But it didnt work. Probably because this only works with forms.
Please guide Is there any way which spring provides so that i dont need to handle this manually ?
Thanks
I have a spring mvc application. In the initial page i load the following jsp :
<!DOCTYPE html>
<html>
<head>
<title>Create Snippet</title>
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1">
<script src="resources/lib/jquery/dist/jquery.js"></script>
<script src="resources/lib/codemirror/lib/codemirror.js" type="text/javascript" charset="utf-8"></script>
<script src="resources/lib/codemirror/addon/selection/active-line.js" type="text/javascript" charset="utf-8"></script>
<script src="resources/lib/codemirror/mode/loadmode.js"></script>
<script src="resources/lib/codemirror/mode/meta.js"></script>
<script src="resources/lib/codemirror/mode/python/python.js" type="text/javascript" charset="utf-8"></script>
<link rel="stylesheet" href="resources/lib/codemirror/lib/codemirror.css" />
<link rel="stylesheet" href="resources/css/new.css"/>
</head>
<body>
<div id="container">
<div class="dialogWidget">
<div class="dijitDialogTitleBar">
<div class="dijitDialogTitle">Create Snippet</div>
</div>
<div class="dijitDialogPaneContent">
<input id="name" type="text" class="title" placeholder="Title (optional)" />
<div class="form-group">
<select id="mode" class="form-control">
<option value="" disabled selected style='display:none;'>Code Type</option>
<option id="text/apl" > APL</option>
<option id="application/pgp" > PGP</option>
<option id="text/x-ttcn-asn" > ASN.1</option>
<option id="text/x-asterisk" > Asterisk</option>
<option id="text/x-csrc" > C</option>
<option id="text/x-c++src" > C++</option>
<option id="text/x-cobol" > Cobol</option>
<option id="text/x-csharp" > C#</option>
<option id="text/x-clojure" > Clojure</option>
<option id="text/x-cmake" > CMake</option>
<option id="text/x-coffeescript" > CoffeeScript</option>
<option id="text/x-common-lisp" > Common Lisp</option>
<option id="application/x-cypher-query" > Cypher</option>
<option id="text/x-cython" > Cython</option>
<option id="text/css" > CSS</option>
<option id="text/x-cassandra" > CQL</option>
<option id="text/x-d" > D</option>
<option id="application/dart" > Dart</option>
<option id="text/x-diff" > diff</option>
<option id="text/x-django" > Django</option>
<option id="text/x-dockerfile" > Dockerfile</option>
<option id="application/xml-dtd" > DTD</option>
<option id="text/x-dylan" > Dylan</option>
<option id="text/x-ebnf" > EBNF</option>
<option id="text/x-ecl" > ECL</option>
<option id="text/x-eiffel" > Eiffel</option>
<option id="application/x-ejs" > Embedded Javascript</option>
<option id="application/x-erb" > Embedded Ruby</option>
<option id="text/x-erlang" > Erlang</option>
<option id="text/x-forth" > Forth</option>
<option id="text/x-fortran" > Fortran</option>
<option id="text/x-fsharp" > F#</option>
<option id="text/x-gas" > Gas</option>
<option id="text/x-feature" > Gherkin</option>
<option id="text/x-gfm" > GitHub Flavored Markdown</option>
<option id="text/x-go" > Go</option>
<option id="text/x-groovy" > Groovy</option>
<option id="text/x-haml" > HAML</option>
<option id="text/x-haskell" > Haskell</option>
<option id="text/x-haxe" > Haxe</option>
<option id="text/x-hxml" > HXML</option>
<option id="application/x-aspx" > ASP.NET</option>
<option id="text/html" > HTML</option>
<option id="message/http" > HTTP</option>
<option id="text/x-idl" > IDL</option>
<option id="text/x-jade" > Jade</option>
<option id="text/x-java" > Java</option>
<option id="application/x-jsp" > Java Server Pages</option>
<option id="text/javascript" > JavaScript</option>
<option id="application/json" > JSON</option>
<option id="application/ld+json" > JSON-LD</option>
<option id="text/x-julia" > Julia</option>
<option id="text/x-kotlin" > Kotlin</option>
<option id="text/x-less" > LESS</option>
<option id="text/x-livescript" > LiveScript</option>
<option id="text/x-lua" > Lua</option>
<option id="text/x-markdown" > Markdown</option>
<option id="text/mirc" > mIRC</option>
<option id="text/x-mariadb" > MariaDB SQL</option>
<option id="text/x-mathematica" > Mathematica</option>
<option id="text/x-modelica" > Modelica</option>
<option id="text/x-mumps" > MUMPS</option>
<option id="text/x-mssql" > MS SQL</option>
<option id="text/x-mysql" > MySQL</option>
<option id="text/x-nginx-conf" > Nginx</option>
<option id="text/n-triples" > NTriples</option>
<option id="text/x-objectivec" > Objective C</option>
<option id="text/x-ocaml" > OCaml</option>
<option id="text/x-octave" > Octave</option>
<option id="text/x-pascal" > Pascal</option>
<option id="text/x-perl" > Perl</option>
<option id="application/x-httpd-php" > PHP</option>
<option id="text/x-pig" > Pig</option>
<option id="text/plain" > Plain Text</option>
<option id="text/x-plsql" > PLSQL</option>
<option id="text/x-properties" > Properties files</option>
<option id="text/x-python" > Python</option>
<option id="text/x-puppet" > Puppet</option>
<option id="text/x-q" > Q</option>
<option id="text/x-rsrc" > R</option>
<option id="text/x-rst" > reStructuredText</option>
<option id="text/x-rpm-changes" > RPM Changes</option>
<option id="text/x-rpm-spec" > RPM Spec</option>
<option id="text/x-ruby" > Ruby</option>
<option id="text/x-rustsrc" > Rust</option>
<option id="text/x-sass" > Sass</option>
<option id="text/x-scala" > Scala</option>
<option id="text/x-scheme" > Scheme</option>
<option id="text/x-scss" > SCSS</option>
<option id="text/x-sh" > Shell</option>
<option id="application/sieve" > Sieve</option>
<option id="text/x-slim" > Slim</option>
<option id="text/x-stsrc" > Smalltalk</option>
<option id="text/x-smarty" > Smarty</option>
<option id="text/x-solr" > Solr</option>
<option id="text/x-soy" > Soy</option>
<option id="application/sparql-query" > SPARQL</option>
<option id="text/x-spreadsheet" > Spreadsheet</option>
<option id="text/x-sql" > SQL</option>
<option id="text/x-mariadb" > MariaDB</option>
<option id="text/x-stex" > sTeX</option>
<option id="text/x-latex" > LaTeX</option>
<option id="text/x-systemverilog" > SystemVerilog</option>
<option id="text/x-tcl" > Tcl</option>
<option id="text/x-textile" > Textile</option>
<option id="text/x-tiddlywiki" > TiddlyWiki </option>
<option id="text/tiki" > Tiki wiki</option>
<option id="text/x-toml" > TOML</option>
<option id="text/x-tornado" > Tornado</option>
<option id="troff" > troff</option>
<option id="text/x-ttcn" > TTCN</option>
<option id="text/x-ttcn-cfg" > TTCN_CFG</option>
<option id="text/turtle" > Turtle</option>
<option id="application/typescript" > TypeScript</option>
<option id="text/x-twig" > Twig</option>
<option id="text/x-vb" > VB.NET</option>
<option id="text/vbscript" > VBScript</option>
<option id="text/velocity" > Velocity</option>
<option id="text/x-verilog" > Verilog</option>
<option id="application/xml" > XML</option>
<option id="application/xquery" > XQuery</option>
<option id="text/x-yaml" > YAML</option>
<option id="text/x-z80" > Z80</option>
</select>
</div>
<div id="editor-pane">
<div id="editor"></div>
</div>
<div class="message_area">
<textarea id="message" type="text" placeholder="Add Comment (Optional)" ></textarea>
</div>
<div class="buttons">
<button id="submit" class="btn_green">Create & Post</button>
<button class="dailogueCancel" id="cancel">Cancel</button>
</div>
</div>
</div>
</div>
<div class="invisible" data-create-url="${createURL}"></div>
<script src="resources/js/flockback.js" type="text/javascript"></script>
<script src="resources/js/detect.js" type="text/javascript"></script>
<script src="resources/js/new.js" type="text/javascript"></script>
</body>
</html>
This is bascially an editor in which i can type a title and text
If it type <script>alert(10)</script>
I want to avoid this.
I tried adding the following to the web.xml :
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
But it didnt work. Probably because this only works with forms.
Please guide Is there any way which spring provides so that i dont need to handle this manually ?
Thanks
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
hi
yes just typing the script does not get executed. only when i press a button which post the data to the server.
yes just typing the script does not get executed. only when i press a button which post the data to the server.
Ok, so the data is definitely hitting the server? i.e. can you see <script>alert(10)</script>
Seems the documentation only refers to it being used in forms.
What happens if you wrap your input field in a form?
What happens if you wrap your input field in a form?
wrapping input field in form tag does not work. I tried the following :
<form:form>
<input id="name" type="text" class="title" placeholder="Title (optional)" />
</form:form>
It looks like because the post request is not going through the form but through ajax call.. so just wrapping into form is not working
Maybe you could use a servlet filter. You can then manipulate the request before giving it to your controller.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
So having that defaultHtmlEscape context param will make no difference.
I'm not heavily clued up on XSS but isn't the point of it to prevent the server being hit with illegal characters? i.e you have to do a form post to get that to happen.