Hemanshu
Reputation: 459
Xss sanitization in java
I have a code piece to sanitize string symbols '<' and '>' for XSS attacks. Do you see any point in the snippet below where someone can break the code for these two symbols. I know XSS has lot more to sanitize and there are standard libraries. But do we expect any failures/breakage for the snippet below? Thinking from encoding/character set point of view also. Please have a look and suggest.
We can use replace also but this is already written code and I have to break it.
String next=""; //this will be a html get request param
final StringBuffer sb = new StringBuffer();
for (int i = 0; i < next.length(); ++i) {
final char ch = next.charAt(i);
if (ch == '<') {
sb.append("<");
} else if (ch == '>') {
sb.append(">");
} else {
sb.append(ch);
}
}
Upvotes: 0
Views: 1238
Answers (1)
Christian Kuetbach
Reputation: 16060
One possible attack would be:
<
This sign is also a < and need to be replace.
In fact I would suggest NOT to write the replacement yourself. Use ESAPE by OWASP or commons-lang from apache.
Upvotes: 4
Related Questions
- How to sanitize HTML code in Java to prevent XSS attacks?
- Add XSS validations/ sanitize script tags in Java
- AntiSamy to prevent XSS in java?
- How to sanitize HTML code to prevent XSS attacks in Java or JSP?
- XSS prevention, minimal implementation
- XSS vulnerability in java
- how to fix XSS Reflected in java
- How to perform output encoding using filter to prevent XSS?
- Sanitize CSS Using Java
- Java 5 HTML escaping To Prevent XSS