Reputation: 50800
Fix cross site scripting issue
I have got a cross site scripting issue (reported by one of the tools)
I have a form on my screen with various fields.
Now if the user enters <script>alert("1")</script> tag for one of the field 1, browser is showing popup with value 1.
If user enters <html>testString</html> or <script>alert("1")</script> for field 1, it is being sent as encoded to server and retrieved back as encoded properly, but if the user does not modify field 1 containing these tags, but updates other fields like field 2, 3, field 1 is being messed up as it is being sent to server non encoded.
How can I fix this issue? Is there any standard way of fixing such issues ?
Also I use a Java resource where the form values are posted? So any changes to the same as well ?
Upvotes: 0
Views: 1623
Answers (1)
Reputation: 2700
For this you have to replace the characters like '<' to its corresponding html entity equivalent like '<'. Its better to done it on server side since client side validation can be blocked by user. In javascript we can do like this.
document.write(htmlentities("<script>"));
function htmlentities(str) {
var ret = str.replace(/[\u00A0-\u9999<>\&]/gim, function(i) {
return '&#'+i.charCodeAt(0)+';';
});
return ret;
}
Upvotes: 1
Related Questions
- Cross Site Scripting injection
- XSS Cross Site Scripting Reflected in JavaScript file
- How to prevent cross-site scripting using javascript
- Facing issue while resolving cross site scripting issue
- Cross Site Scripting Issue
- Cross Site Scripting issue with document.write
- Crosssite Scripting issues
- Cross Site Scripting and HTML Encoding
- Web Application Cross Site Scripting
- How to avoid "Cross-Site Script Attacks"