schu777
schu777

Reputation: 376

How to avoid XSS with this bit of scriplet?

Using Checkmarx, this one page has multiple uses of the "request.getParameterNames()" and is flagged by Checkmarx as "CGI_Reflected_XSS_All_Clients" (Query Name). The page is "error.jsp" so it is a common page that is used across multiple apps in my company. This page gets displayed when an unexpected error occurs. Why this way? who knows, best to not show it and just log it out instead. I'm pretty new to the fixing code being reported as vulnerable by Checkmarx.

<h3>Request Parameters</h3>
<pre>
<%
   lEnum = request.getParameterNames();
   while(lEnum.hasMoreElements())
   {
      String key = (String)lEnum.nextElement();
      String[] paramValues = request.getParameterValues(key);
      for(int i = 0; i < paramValues.length; i++)
      {
         out.println("  " + key + " : "  + paramValues[i]); 
      }
   }
%>
</pre>

Upvotes: 0

Views: 500

Answers (2)

Neil Nandi
Neil Nandi

Reputation: 139

Use Spring-Web's HtmlUtils.htmlEscape(Variable) to sanitize parameters before passing to method.

Also, you can try

Variable=Variable.replace("'", ""); with it as well.

Use both on parameters before passing to method.

Upvotes: 0

fgb
fgb

Reputation: 18559

The values output to the page need to be escaped for HTML. Replace quotes, brackets, and ampersands with their entities. This can be done with libraries such as Guava like:

Escaper escaper = HtmlEscapers.htmlEscaper();
out.println("  " + escaper.escape(key) + " : " + escaper.escape(paramValues[i]));

Upvotes: 1

Related Questions