asked on preventing XSS in a spring mvc application
HI,
I have a spring mvc application. In the initial page i load the following jsp :
This is bascially an editor in which i can type a title and text
If it type <script>alert(10)</script>
I want to avoid this.
I tried adding the following to the web.xml :
But it didnt work. Probably because this only works with forms.
Please guide Is there any way which spring provides so that i dont need to handle this manually ?
Thanks
I have a spring mvc application. In the initial page i load the following jsp :
<!DOCTYPE html>
<html>
<head>
<title>Create Snippet</title>
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1">
<script src="resources/lib/jquery/dist/jquery.js"></script>
<script src="resources/lib/codemirror/lib/codemirror.js" type="text/javascript" charset="utf-8"></script>
<script src="resources/lib/codemirror/addon/selection/active-line.js" type="text/javascript" charset="utf-8"></script>
<script src="resources/lib/codemirror/mode/loadmode.js"></script>
<script src="resources/lib/codemirror/mode/meta.js"></script>
<script src="resources/lib/codemirror/mode/python/python.js" type="text/javascript" charset="utf-8"></script>
<link rel="stylesheet" href="resources/lib/codemirror/lib/codemirror.css" />
<link rel="stylesheet" href="resources/css/new.css"/>
</head>
<body>
<div id="container">
<div class="dialogWidget">
<div class="dijitDialogTitleBar">
<div class="dijitDialogTitle">Create Snippet</div>
</div>
<div class="dijitDialogPaneContent">
<input id="name" type="text" class="title" placeholder="Title (optional)" />
<div class="form-group">
<select id="mode" class="form-control">
<option value="" disabled selected style='display:none;'>Code Type</option>
<option id="text/apl" > APL</option>
<option id="application/pgp" > PGP</option>
<option id="text/x-ttcn-asn" > ASN.1</option>
<option id="text/x-asterisk" > Asterisk</option>
<option id="text/x-csrc" > C</option>
<option id="text/x-c++src" > C++</option>
<option id="text/x-cobol" > Cobol</option>
<option id="text/x-csharp" > C#</option>
<option id="text/x-clojure" > Clojure</option>
<option id="text/x-cmake" > CMake</option>
<option id="text/x-coffeescript" > CoffeeScript</option>
<option id="text/x-common-lisp" > Common Lisp</option>
<option id="application/x-cypher-query" > Cypher</option>
<option id="text/x-cython" > Cython</option>
<option id="text/css" > CSS</option>
<option id="text/x-cassandra" > CQL</option>
<option id="text/x-d" > D</option>
<option id="application/dart" > Dart</option>
<option id="text/x-diff" > diff</option>
<option id="text/x-django" > Django</option>
<option id="text/x-dockerfile" > Dockerfile</option>
<option id="application/xml-dtd" > DTD</option>
<option id="text/x-dylan" > Dylan</option>
<option id="text/x-ebnf" > EBNF</option>
<option id="text/x-ecl" > ECL</option>
<option id="text/x-eiffel" > Eiffel</option>
<option id="application/x-ejs" > Embedded Javascript</option>
<option id="application/x-erb" > Embedded Ruby</option>
<option id="text/x-erlang" > Erlang</option>
<option id="text/x-forth" > Forth</option>
<option id="text/x-fortran" > Fortran</option>
<option id="text/x-fsharp" > F#</option>
<option id="text/x-gas" > Gas</option>
<option id="text/x-feature" > Gherkin</option>
<option id="text/x-gfm" > GitHub Flavored Markdown</option>
<option id="text/x-go" > Go</option>
<option id="text/x-groovy" > Groovy</option>
<option id="text/x-haml" > HAML</option>
<option id="text/x-haskell" > Haskell</option>
<option id="text/x-haxe" > Haxe</option>
<option id="text/x-hxml" > HXML</option>
<option id="application/x-aspx" > ASP.NET</option>
<option id="text/html" > HTML</option>
<option id="message/http" > HTTP</option>
<option id="text/x-idl" > IDL</option>
<option id="text/x-jade" > Jade</option>
<option id="text/x-java" > Java</option>
<option id="application/x-jsp" > Java Server Pages</option>
<option id="text/javascript" > JavaScript</option>
<option id="application/json" > JSON</option>
<option id="application/ld+json" > JSON-LD</option>
<option id="text/x-julia" > Julia</option>
<option id="text/x-kotlin" > Kotlin</option>
<option id="text/x-less" > LESS</option>
<option id="text/x-livescript" > LiveScript</option>
<option id="text/x-lua" > Lua</option>
<option id="text/x-markdown" > Markdown</option>
<option id="text/mirc" > mIRC</option>
<option id="text/x-mariadb" > MariaDB SQL</option>
<option id="text/x-mathematica" > Mathematica</option>
<option id="text/x-modelica" > Modelica</option>
<option id="text/x-mumps" > MUMPS</option>
<option id="text/x-mssql" > MS SQL</option>
<option id="text/x-mysql" > MySQL</option>
<option id="text/x-nginx-conf" > Nginx</option>
<option id="text/n-triples" > NTriples</option>
<option id="text/x-objectivec" > Objective C</option>
<option id="text/x-ocaml" > OCaml</option>
<option id="text/x-octave" > Octave</option>
<option id="text/x-pascal" > Pascal</option>
<option id="text/x-perl" > Perl</option>
<option id="application/x-httpd-php" > PHP</option>
<option id="text/x-pig" > Pig</option>
<option id="text/plain" > Plain Text</option>
<option id="text/x-plsql" > PLSQL</option>
<option id="text/x-properties" > Properties files</option>
<option id="text/x-python" > Python</option>
<option id="text/x-puppet" > Puppet</option>
<option id="text/x-q" > Q</option>
<option id="text/x-rsrc" > R</option>
<option id="text/x-rst" > reStructuredText</option>
<option id="text/x-rpm-changes" > RPM Changes</option>
<option id="text/x-rpm-spec" > RPM Spec</option>
<option id="text/x-ruby" > Ruby</option>
<option id="text/x-rustsrc" > Rust</option>
<option id="text/x-sass" > Sass</option>
<option id="text/x-scala" > Scala</option>
<option id="text/x-scheme" > Scheme</option>
<option id="text/x-scss" > SCSS</option>
<option id="text/x-sh" > Shell</option>
<option id="application/sieve" > Sieve</option>
<option id="text/x-slim" > Slim</option>
<option id="text/x-stsrc" > Smalltalk</option>
<option id="text/x-smarty" > Smarty</option>
<option id="text/x-solr" > Solr</option>
<option id="text/x-soy" > Soy</option>
<option id="application/sparql-query" > SPARQL</option>
<option id="text/x-spreadsheet" > Spreadsheet</option>
<option id="text/x-sql" > SQL</option>
<option id="text/x-mariadb" > MariaDB</option>
<option id="text/x-stex" > sTeX</option>
<option id="text/x-latex" > LaTeX</option>
<option id="text/x-systemverilog" > SystemVerilog</option>
<option id="text/x-tcl" > Tcl</option>
<option id="text/x-textile" > Textile</option>
<option id="text/x-tiddlywiki" > TiddlyWiki </option>
<option id="text/tiki" > Tiki wiki</option>
<option id="text/x-toml" > TOML</option>
<option id="text/x-tornado" > Tornado</option>
<option id="troff" > troff</option>
<option id="text/x-ttcn" > TTCN</option>
<option id="text/x-ttcn-cfg" > TTCN_CFG</option>
<option id="text/turtle" > Turtle</option>
<option id="application/typescript" > TypeScript</option>
<option id="text/x-twig" > Twig</option>
<option id="text/x-vb" > VB.NET</option>
<option id="text/vbscript" > VBScript</option>
<option id="text/velocity" > Velocity</option>
<option id="text/x-verilog" > Verilog</option>
<option id="application/xml" > XML</option>
<option id="application/xquery" > XQuery</option>
<option id="text/x-yaml" > YAML</option>
<option id="text/x-z80" > Z80</option>
</select>
</div>
<div id="editor-pane">
<div id="editor"></div>
</div>
<div class="message_area">
<textarea id="message" type="text" placeholder="Add Comment (Optional)" ></textarea>
</div>
<div class="buttons">
<button id="submit" class="btn_green">Create & Post</button>
<button class="dailogueCancel" id="cancel">Cancel</button>
</div>
</div>
</div>
</div>
<div class="invisible" data-create-url="${createURL}"></div>
<script src="resources/js/flockback.js" type="text/javascript"></script>
<script src="resources/js/detect.js" type="text/javascript"></script>
<script src="resources/js/new.js" type="text/javascript"></script>
</body>
</html>
This is bascially an editor in which i can type a title and text
If it type <script>alert(10)</script>
I want to avoid this.
I tried adding the following to the web.xml :
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
But it didnt work. Probably because this only works with forms.
Please guide Is there any way which spring provides so that i dont need to handle this manually ?
Thanks
JavaJava EEJavaScriptCOBOL
Last Comment
gurpsbassi
ASKER
hi
yes just typing the script does not get executed. only when i press a button which post the data to the server.
yes just typing the script does not get executed. only when i press a button which post the data to the server.
ASKER
currently i am not using forms but an ajax call which posts the entered data to the server
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Ok, so the data is definitely hitting the server? i.e. can you see <script>alert(10)</script>
ASKER
yes its getting passes to the controller
Seems the documentation only refers to it being used in forms.
What happens if you wrap your input field in a form?
What happens if you wrap your input field in a form?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
wrapping input field in form tag does not work. I tried the following :
<form:form>
<input id="name" type="text" class="title" placeholder="Title (optional)" />
</form:form>
ASKER
It looks like because the post request is not going through the form but through ajax call.. so just wrapping into form is not working
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
So having that defaultHtmlEscape context param will make no difference.
I'm not heavily clued up on XSS but isn't the point of it to prevent the server being hit with illegal characters? i.e you have to do a form post to get that to happen.