How to fix "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" in a ServletOutputStream

Question

Following code gives veracode flaw "Improper Neutralization of Script-Related HTML Tags in a Web Page" on the line out.write(outByte,0,iRead); :

try {
    bytesImage = helper.getBlob(Integer.parseInt(id) );
    ByteArrayInputStream bin = new ByteArrayInputStream(bytesImage);
    ServletOutputStream out = response.getOutputStream();
    outByte = new byte[bytesImage.length];
    int iRead = 0;
    while ((iRead = bin.read(outByte)) > 0) {
        out.write(outByte,0,iRead); 
    }           


I found a lot of similar issues here but all with strings only. These coulde be fixed with something like this:

> out.write ( ESAPI.encoder().encodeForHTML(theSimpleString) );


but for the binary OutputStream this will not work.
Any hints how to get above veracode issue solved?

Thanks

As suggested by @sinkmanu I tried to convert the bytes to String. Then applied ESAPI.encoder().encodeForHTML().

I added two conversion methods:

private static String base64Encode(byte[] bytes) {
   return new BASE64Encoder().encode(bytes);
}
private static byte[] base64Decode(String s) throws IOException {
   return new BASE64Decoder().decodeBuffer(s);
}        

then tried with this code:

...

bytes = helper.getBlob( inId );

// 1 -> this solves Veracode issue but image is not valid anymore
String encodedString = base64Encode(bytes) ; 
String safeString = ESAPI.encoder().encodeForHTML(encodedString);
safeBytes = base64Decode(safeString);

// 2 -> as written above, when i use the safe 'safeBytes' the Veracode flaw is gone but the app is not working anymore (image not ok)
// ByteArrayInputStream bin = new ByteArrayInputStream(safeBytes);
// outBytes = new byte[safeBytes.length];

// 3 -> just use the 'unsafe' bytes -> app is working but veracode flaw needs to be fixed!
ByteArrayInputStream bin = new ByteArrayInputStream(bytes);
outBytes = new byte[bytes.length];

int iRead=0;
ServletOutputStream out = response.getOutputStream();

while ((iRead = bin.read(outBytes)) > 0) {
    out.write(  outBytes, 0, iRead); 
}           

...

The above could solve the veracode issue (when 2 is uncommented) but the image then seems to be corrupt (cannot be processes anymore?). Any hint how i can solve the veracode issue with the binary stream?

Answer 1

The solution to above is this:

    String safeString = ESAPI.encoder().encodeForBase64(bytes,false);
    byte[] safeBytes = ESAPI.encoder().decodeFromBase64(safeString);

In the ESAPI libs there are also methods to encode and decode from Base64. This was the solution to my problem. Above two lines do the magic for veracode and when using the "safeBytes" in the code later on everything is fine...

Answer 2

To sanitize strings you can use the encodeForHTML fromt the ESAPI library or StringEscapeUtils from Apache.

import static org.apache.commons.lang.StringEscapeUtils.escapeHtml;
String data = "<script>alert(document.cookie);</script>";
String escaped = escapeHtml(data);

If your data is not a String, you have to convert it to String. Also, if you are sure that the data that you have are escaped, you can ignore the warning because it is a false positive.

Answer 3

You can validate file using following function: ESAPI.validator().getValidFileContent()