Reputation: 139

Prevent XSS in Spring MVC

I know this was asked before, but I am trying to figure out how to prevent XSS attacks for my Spring MVC web application.

1) I added the following to my web.xml

<context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
</context-param>

2) Should I also be using Commons StringEscapeUtils.escapeHtml() for each property in the form command object before I save it in the database? Would I need to unescape at some point as well?

Thanks

Upvotes: 1

Answers (3)

user879220

Reputation: 139

For now, I decided to sanitize my data and remove any HTML tags to avoid JavaScript attacks.

I'm using Jsoup api to do that.

http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer

Upvotes: 2

Japan Trivedi

Reputation: 4483

I prefer you try the HDIV api for this kind of data security on your application. It prevents this and other 7 different possible attacks on your web application. I am also currently exploring the same API to use with Spring Framework.

Click here for HDIV home page.

Hope this helps you.

Upvotes: 2

Erlend

Reputation: 4416

Even though escaping html by default stops XSS in many contexts there are certainly contexts where it doesn't work. See an example here: http://erlend.oftedal.no/blog/?id=124 I recommend you take a look at the OWASP XSS Prevention Cheat Sheet. It explains when you need to use different escapings. Regarding 2 don't escape before putting it in the db. The escape routine could have errors and you can't be sure that the data will be used in the same context every time

Upvotes: 2

Prevent XSS in Spring MVC

Answers (3)

Related Questions