Bharadwaja Andy
Reputation: 1
Possibilities of Bypassing the Constructed attributes for input sanitization
Hello All I have implemented the following pattern for sanitizing the XSS input. Can you help me if there is any possibility or any payload that can be constructed in bypassing the below patterns
str = str.replaceAll("\\<.*?\\>", ""); str = str.replaceAll("\\<.*?\\>", "");
private static final String XSS_PATTERN = "<(?:img\\s+src\\s*=\\s*[^>]+\\s+onerror\\s*=\\s*\"?[^>]*prompt\\(.*\\)[^>]*>|script\\s*>[^<]*alert\\(.*\\)[^<]*</script\\s*)>|<\\s*img\\s+src\\s*=\\s*[^>]+\\s+onerror\\s*=\\s*\"?[^>]*prompt\\(.*\\)[^>]*>|<\\s*img\\s+src\\s*=\\s*[^>]*\\b(onerror=eval\\(src\\))[^>]*>|script\\s*>.*\\</script\\s*>|style\\s*>.*\\</style\\s*>";
private static final String XSS_PATTERN2 = "<(?:img\\s+src\\s*=\\s*[^>]+\\s+onerror\\s*=\\s*\"?[^>]*prompt\\(.*\\)[^>]*>|script\\s*>[^<]*alert\\(.*\\)[^<]*</script\\s*)>|<\\s*img\\s+src\\s*=\\s*[^>]+\\s+onerror\\s*=\\s*\"?[^>]*prompt\\(.*\\)[^>]*>|<\\s*img\\s+src\\s*=\\s*[^>]*\\b(onerror=eval\\(src\\))[^>]*>|script\\s*>.*\\</script\\s*>|style\\s*>.*\\</style\\s*>";
Upvotes: 0
Views: 32
Answers (0)
Related Questions
- Blazor Form - User Input Sanitization (<InputText>, <InputTextArea> etc)
- Java XSS Sanitization for nested HTML elements
- Input sanitization in ReactJS
- JSoup vs OWSAP AntiSamy for JSON Sanitization
- Input sanitization with MVC Razor - how to be safe?
- Why so much HTML input sanitization necessary?
- Is it safe to display user input as input values without sanitization?