commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benedikt Ritter <brit...@apache.org>
Subject Re: StringEscapeUtils.escapeXml & XX
Date Mon, 05 May 2014 17:54:32 GMT
Hello Akash,

escapeXml will just escape the basic XML entities. For example:

"bread" & "butter" => &quot;bread&quot; &amp; &quot;butter&quot;.

escapeXml10 and escapeXml11 are extended methods that will escape some more
characters that are illegal in XML.

I don't understand what you mean by "how safe" can you give an example of a
malformed input and the result your expecting? Then I can tell you whether
it will be escaped ;-)

Regards,
Benedikt


2014-05-05 19:34 GMT+02:00 Akash Jain <akash.delhite@gmail.com>:

> Martin,
>
> Can you tell me how safe is escapeXml function is ? Thats what I originally
> wanted to know.
>
> Thanks.
>
>
> On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mgainty@hotmail.com> wrote:
>
> > if you didnt catch XSS Vector at Javascript as it was coming in from
> > Browser then you can write your own from:
> >
> >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > private static void escapeJavaStyleString(Writer out, String str, boolean
> > escapeSingleQuote,
> >                boolean escapeForwardSlash) throws IOException {{
> > //put XSS Vector attack mitigation  here
> > }
> >
> > //Also in a webapp insert the configuration for owasp csrf guard
> >     <context-param>
> >         <param-name>Owasp.CsrfGuard.Config</param-name>
> >         <param-value>config/Owasp.CsrfGuard.properties</param-value>
> >     </context-param>
> > //and of course the filter
> >     <filter>
> >         <filter-name>CSRFGuard</filter-name>
> >         <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> >     </filter>
> > //and which extensions it will map to
> >     <!-- CSRF Filter Mapping -->
> >     <filter-mapping>
> >         <filter-name>CSRFGuard</filter-name>
> >         <url-pattern>*.jsf</url-pattern>
> >     </filter-mapping>
> >     <filter-mapping>
> >         <filter-name>CSRFGuard</filter-name>
> >         <url-pattern>*.jsp</url-pattern>
> >     </filter-mapping>
> >
> > //session listener
> >     <listener>
> >         <listener-class>
> >             org.owasp.csrfguard.CsrfGuardListener
> >         </listener-class>
> >     </listener>
> >
> >     <!-- CSRF JavaScript Servlet -->
> >     <servlet>
> >         <servlet-name>JavaScriptServlet</servlet-name>
> >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> >         <init-param>
> >             <param-name>source-file</param-name>
> >
> <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> >         </init-param>
> >     </servlet>
> > //where Owasp.CsrfGuard.js would contain something like:
> > /** determine if uri/url points to valid domain * */
> >     function isValidUrl(src) {
> >         var result = false;
> >
> >         /** parse out domain to make sure it points to our own * */
> >         if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
> > "https://") {
> >             var token = "://";
> >             var index = src.indexOf(token);
> >             var part = src.substring(index + token.length);
> >             var domain = "";
> >
> >             /** parse up to end, first slash, or anchor * */
> >             for(var i=0; i<part.length; i++) {
> >                 var character = part.charAt(i);
> >
> >                 if(character == '/' || character == ':' || character ==
> > '#') {
> >                     break;
> >                 } else {
> >                     domain += character;
> >                 }
> >             }
> >
> >             result = isValidDomain(document.domain, domain);
> >             /** explicitly skip anchors * */
> >         } else if(src.charAt(0) == '#') {
> >             result = false;
> >             /** ensure it is a local resource without a protocol * */
> >         } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> > src.indexOf(':') == -1)) {
> >             result = true;
> >         }
> >
> >         return result;
> >     }
> >
> >
> > Mit freundlichen Grüßen
> >
> > Martin
> >
> > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > Subject: StringEscapeUtils.escapeXml & XX
> > > From: akash.delhite@gmail.com
> > > To: user@commons.apache.org
> > >
> > > Hi,
> > >
> > > I want to know much secure is escapeXml
> > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing
> all
> > > XSS vectors ?
> >
> >
>



-- 
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message