Hemanshu
Hemanshu

Reputation: 459

Xss sanitization in java

I have a code piece to sanitize string symbols '<' and '>' for XSS attacks. Do you see any point in the snippet below where someone can break the code for these two symbols. I know XSS has lot more to sanitize and there are standard libraries. But do we expect any failures/breakage for the snippet below? Thinking from encoding/character set point of view also. Please have a look and suggest.

We can use replace also but this is already written code and I have to break it.

String next=""; //this will be a html get request param

final StringBuffer sb = new StringBuffer();
for (int i = 0; i < next.length(); ++i) {
  final char ch = next.charAt(i);

  if (ch == '<') {
    sb.append("&lt;");
  } else if (ch == '>') {
    sb.append("&gt;");
  } else {
    sb.append(ch);
  }
}

Upvotes: 0

Views: 1238

Answers (1)

Christian Kuetbach
Christian Kuetbach

Reputation: 16060

One possible attack would be:

&#0000060

This sign is also a < and need to be replace.

In fact I would suggest NOT to write the replacement yourself. Use ESAPE by OWASP or commons-lang from apache.

Upvotes: 4

Related Questions