Reputation: 459
I have a code piece to sanitize string symbols '<' and '>' for XSS attacks. Do you see any point in the snippet below where someone can break the code for these two symbols. I know XSS has lot more to sanitize and there are standard libraries. But do we expect any failures/breakage for the snippet below? Thinking from encoding/character set point of view also. Please have a look and suggest.
We can use replace also but this is already written code and I have to break it.
String next=""; //this will be a html get request param
final StringBuffer sb = new StringBuffer();
for (int i = 0; i < next.length(); ++i) {
final char ch = next.charAt(i);
if (ch == '<') {
sb.append("<");
} else if (ch == '>') {
sb.append(">");
} else {
sb.append(ch);
}
}
Upvotes: 0
Views: 1238
Reputation: 16060
One possible attack would be:
<
This sign is also a < and need to be replace.
In fact I would suggest NOT to write the replacement yourself. Use ESAPE by OWASP or commons-lang from apache.
Upvotes: 4