How do I prevent people from doing XSS in Spring MVC

Question

What should I do to prevent XSS in Spring MVC  Right now I am just putting all places where I output user text into JSTL  lt c out gt  tags or fn escapeXml   functions  but this seems error prone as I might miss a place   Is there an easy systematic way to prevent this  Maybe like a filter or something  I m collecting input by specifying  RequestParam parameters on my controller methods

User · Answer

I use Hibernate Validator via  Valid for all input objects  binding and  RequestBody json  see https   dzone com articles spring-31-valid-requestbody   So  org hibernate validator constraints SafeHtml is a good solution for me  Hibernate SafeHtmlValidator depends on org jsoup  so it s needed to add one more project dependencies   lt dependency gt       lt groupId gt org jsoup lt  groupId gt       lt artifactId gt jsoup lt  artifactId gt       lt version gt 1 10 1 lt  version gt   lt  dependency gt   For bean User with field  NotEmpty  SafeHtml protected String name   for update attempt with value  lt script gt alert 123  lt  script gt  in controller  PutMapping value    quot   id  quot   consumes   MediaType APPLICATION JSON VALUE  public void update  Valid  RequestBody User user   PathVariable  quot id quot   int id    or  PostMapping public void createOrUpdate  Valid User user     is thrown BindException for binding and MethodArgumentNotValidException for  RequestBody with default message  name may have unsafe html content  Validator works as well for binding  as before persisting  Apps could be tested at http   topjava herokuapp com  UPDATE  see also comment from  GuyT CVE-2019-10219 and status of  SafeHtml  We have been made aware of a CVE-2019-10219 related to the  SafeHtml constraint and it was fixed in both 6 0 18 Final and 6 1 0 Final     However  we came to the conclusion that the  SafeHtml constraint was fragile  highly security-sensitive and depending on an external library that wasn   t designed for this purpose  Having it included in core Hibernate Validator was not a very good idea  That   s why we deprecated it and marked it for removal There is no magic plan here so our users will have to maintain this constraint themselves  Resume for myself  it is safe and could be used  until solution better be found

User · Answer

Instead of relying only on  lt c out   gt   an antixss library should also be used  which will not only encode but also sanitize malicious script in input  One of the best library available is OWASP Antisamy  it s highly flexible and can be configured using xml policy files  as per requirement    For e g  if an application supports only text input then most generic policy file provided by OWASP can be used which sanitizes and removes most of the html tags  Similarly if application support html editors such as tinymce  which need all kind of html tags  a more flexible policy can be use such as ebay policy file

User · Answer

To avoid XSS security threat in spring application        solution to the XSS issue is to filter all the textfields in the form   at the time of submitting the form        It needs XML entry in the web xml file  amp  two simple classes           java code  -         The code for the  first class named CrossScriptingFilter java is            package com filter           import java io IOException          import javax servlet Filter          import javax servlet FilterChain          import javax servlet FilterConfig          import javax servlet ServletException          import javax servlet ServletRequest          import javax servlet ServletResponse          import javax servlet http HttpServletRequest          import org apache log4j Logger           public class CrossScriptingFilter implements Filter               private static Logger logger   Logger getLogger CrossScriptingFilter class               private FilterConfig filterConfig               public void init FilterConfig filterConfig  throws ServletException                   this filterConfig   filterConfig                             public void destroy                     this filterConfig   null                             public void doFilter ServletRequest request  ServletResponse response  FilterChain chain                  throws IOException  ServletException                   logger info  Inlter CrossScriptingFilter                                     chain doFilter new RequestWrapper  HttpServletRequest  request   response                   logger info  Outlter CrossScriptingFilter                                               The code second class named RequestWrapper java is    package com filter   import javax servlet http HttpServletRequest  import javax servlet http HttpServletRequestWrapper   import org apache log4j Logger   public final class RequestWrapper extends HttpServletRequestWrapper       private static Logger logger   Logger getLogger RequestWrapper class       public RequestWrapper HttpServletRequest servletRequest            super servletRequest              public String   getParameterValues String parameter            logger info  InarameterValues    parameter                    String   values   super getParameterValues parameter           if  values    null                return null                    int count   values length          String   encodedValues   new String count           for  int i   0  i  lt  count  i                  encodedValues i    cleanXSS values i                      return encodedValues             public String getParameter String parameter            logger info  Inarameter    parameter                    String value   super getParameter parameter           if  value    null                return null                    logger info  Inarameter RequestWrapper          value                    return cleanXSS value              public String getHeader String name            logger info  Ineader    parameter                    String value   super getHeader name           if  value    null              return null          logger info  Ineader RequestWrapper             value                 return cleanXSS value              private String cleanXSS String value               You ll need to remove the spaces from the html entities below         logger info  InnXSS RequestWrapper                    value             value   value replaceAll   lt      amp  lt    replaceAll   gt      amp  gt               value   value replaceAll          amp   40    replaceAll          amp   41               value   value replaceAll        amp   39             value   value replaceAll  eval                          value   value replaceAll               s  javascript                                    value   value replaceAll    i  lt script    gt     lt script    gt                 value   value replaceAll    i  lt script    gt     lt  script    gt                 value   value replaceAll    i  lt    javascript     gt     lt      gt                 value   value replaceAll    i  lt      s on    gt     lt      gt                   value   value replaceAll   lt script gt                   value   value replaceAll   lt  script gt                 logger info  OutnXSS RequestWrapper          value            value           return value             The only thing remained is the XML entry in the web xml file             lt filter gt           lt filter-name gt XSS lt  filter-name gt           lt display-name gt XSS lt  display-name gt           lt description gt  lt  description gt           lt filter-class gt com filter CrossScriptingFilter lt  filter-class gt       lt  filter gt        lt filter-mapping gt           lt filter-name gt XSS lt  filter-name gt           lt url-pattern gt    lt  url-pattern gt       lt  filter-mapping gt    The    indicates that for every request made from browser  it will call     CrossScriptingFilter  class  Which will parse all the components elements came from the request  amp      will replace all the javascript tags put by hacker with empty string i e

User · Answer

How are you collecting user input in the first place  This question   answer may assist if you re using a FormController   Spring  escaping input when binding to command

User · Answer

Try XSSFilter

User · Answer

Always check manually the methods  tags you use  and make sure that they always escape  once  in the end  Frameworks have many bugs and differences in this aspect   An overview  http   www gablog eu online node 91

User · Answer

When you are trying to prevent XSS  it s important to think of the context  As an example how and what to escape is very different if you are ouputting data inside a variable in a javascript snippet as opposed to outputting data in an HTML tag or an HTML attribute   I have an example of this here  http   erlend oftedal no blog  blogid 91  Also checkout the OWASP XSS Prevention Cheat Sheet  http   www owasp org index php XSS  28Cross Site Scripting 29 Prevention Cheat Sheet  So the short answer is  make sure you escape output like suggested by Tendayi Mawushe  but take special care when you are outputting data in HTML attributes or javascript

User · Answer

In Spring you can escape the html from JSP pages generated by  lt form gt  tags  This closes off a lot avenues for XSS attacks  and can be done automatically in three ways   For the entire application in the web xml file    lt context-param gt       lt param-name gt defaultHtmlEscape lt  param-name gt       lt param-value gt true lt  param-value gt   lt  context-param gt    For all forms on a given page in the file itself    lt spring htmlEscape defaultHtmlEscape  true    gt     For each form    lt form input path  someFormField  htmlEscape  true    gt

[spring] How do I prevent people from doing XSS in Spring MVC?

Examples related to spring

Examples related to jsp

Examples related to spring-mvc

Examples related to xss

Examples related to html-escape-characters