Reputation: 3196
Patterns to check to avoid XSS attack
I have written a Filter Below is the code.
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain)
throws IOException, ServletException {
HttpServletRequest srequest = (HttpServletRequest) request;
HttpServletResponse sresponse = (HttpServletResponse) response;
String url = srequest.getRequestURI();
if(url.contains("//What patterns to be checked here?"))
{
//Invalidate the Session
//Redirect to error page
}
Am reading the URL formed and want to avoid XSS attacks. So, I want to check in the URL for any patterns which might indicate that it could lead to XSS attack.
Can I get a consolidated list of all patterns that I can check here? For eg.,
url.contains("<script>");
Upvotes: 0
Views: 3215
Answers (1)
Reputation: 1510
Wow, DON'T. There's lots of sources that would explain to you why:
- Black Listing is almost always a bad thing
- You should not check for XSS on input but, escape output regardless of its source
If you want more info on preventing XSS then go to Owasp xss cheat sheet.
On the other site if you want to add some limited scripting/editing functionality to your web site, you could and should use substitution (like in stackoverflow you don't write <\b> you use ** which is later transformed to appropriate html tags). Or you can use whitelisting, only and only allow text and some of the tags, but it can be tricky and you would have to be very careful.
Upvotes: 6
Related Questions
- XSS prevention in JSP/Servlet web application
- prevent XSS attacks In JSPs
- CSRF, XSS and SQL Injection attack prevention in JSF
- How to avoid Cross Site Scripting (XSS) attacks while using JSF and RichEditor
- How to sanitize HTML code to prevent XSS attacks in Java or JSP?
- XSS attack prevention
- how to prevent XSS attack
- JSF 2.0; escape="false" alternative to prevent XSS?
- XSS attacks in jsp
- protect jsp pages againt xss