StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to fix endemic XSS vulnerabilities in a Java webapp
primarykey
Id
15245525
data
AcceptedAnswerId
0
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-03-06T11:00:25.033
FavoriteCount
1
LastActivityDate
2013-03-26T03:45:20.807
LastEditDate
2013-03-07T16:45:18.497
LastEditorUserId
1738905
OwnerUserId
1738905
ParentId
0
PostTypeId
1
Score
2
ViewCount
2484
LastEditorDisplayName
text
Body
I am working on a Java web application that is many years old. Most of the <code><bean:write></code>s in the JSPs have <code>filter="false"</code> even when it isn't needed, probably because of developers blindly copying existing code. <code><bean:write></code> is the Struts tag to output a JSP variable, and when <code>filter="false"</code> is specified it does not do HTML escaping (so <code>filter="false"</code> is similar to the <code><c:out></code> attribute <code>escapeXml="false"</code>). This means that the application is vulnerable to XSS attacks, because some of these <code><bean:write filter="false"></code>s are outputting user input. A blanket removal of <code>filter="false"</code> isn't an option because in some cases the application allows the user to enter HTML using a TinyMCE text area, so we do need to output raw HTML in some cases to retain the user-entered formatting (although we should still be sanitising user-entered HTML to remove scripts). There are thousands of <code>filter="false"</code>s in the code so an audit of each one to work out whether it is required would take too long. What we are thinking of doing is making our own version of the <code>bean:write</code> tag, say <code>secure:write</code>, and doing a global find/replace of bean:write with secure:write in our JSPs. <code>secure:write</code> will strip scripts from the output when <code>filter="false"</code> is specified. After this change users would still be able to cause formatting HTML to be output where they shouldn't really be able to, but we aren't worried about that for the time being as long as the XSS vulnerabilities are fixed. We would like to use a library to implement the script-stripping in the <code>secure:write</code> tag and we have been looking at <a href="https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project" rel="nofollow">https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project</a> and <a href="https://code.google.com/p/owasp-java-html-sanitizer/" rel="nofollow">https://code.google.com/p/owasp-java-html-sanitizer/</a>. Both look like they are capable of sanitising HTML, although AntiSamy looks like it is intended to be used to sanitise HTML on the way in to the application instead of on the way out, and since data is output more often than it is input we are concerned that running all of our <code>secure:write</code> output through it could be slow. I have 2 main questions: 1) Will our proposed approach work to fix the XSS vulnerabilities caused by <code>filter="false"</code>? 2) Can anyone recommend a library to use for HTML sanitisation when displaying content, i.e. which is fast enough to not significantly affect the page-rendering performance? Has anyone used AntiSamy or owasp-java-html-sanitizer for something similar?
Tags
<java><jsp><struts><xss><html-sanitizing>
Title
How to fix endemic XSS vulnerabilities in a Java webapp
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USfrankoid
UserOwnerUserId
1. USfrankoid
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POHow to fix endemic XSS vulnerabilities in a Java webapp
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POHow to fix endemic XSS vulnerabilities in a Java webapp
 UserUserId
 USMartin Wilson
 VoteTypeVoteTypeId
 VTFavorite
3. VO
 singulars
 PostPostId
 POHow to fix endemic XSS vulnerabilities in a Java webapp
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.