commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benedikt Ritter <brit...@apache.org>
Subject Re: StringEscapeUtils.escapeXml & XX
Date Wed, 07 May 2014 05:23:47 GMT
Hello Akash,

may be this can help:

http://stackoverflow.com/questions/10487648/prevent-xss-in-spring-mvc
http://stackoverflow.com/questions/12538227/how-to-prevent-xss-attacks-with-springmvc-jackson-application
http://jeevanpatil.wordpress.com/2011/07/22/prevention_of_xss/

There is a lot n google about this ;-) Or you as at OWASP how to integrate
the other systems with ESAPI that caused the problems.

Regards,
Benedikt


2014-05-07 2:23 GMT+02:00 Akash Jain <akash.delhite@gmail.com>:

> ESAPI has given us some problems with other systems we interact with.
>
> I am using Java 7 with Spring 3.2 MVC in Tomcat 7.
>
>
> On Tue, May 6, 2014 at 4:29 AM, Benedikt Ritter <britter@apache.org>
> wrote:
>
> > Hello Akash,
> >
> >
> > 2014-05-05 22:16 GMT+02:00 Akash Jain <akash.delhite@gmail.com>:
> >
> > > Hello Benedikt,
> > >
> > > Basically I am using it as XSS prevention mechanism. So I want to use
> is
> > it
> > > safe enough ?
> > >
> >
> > As I've said: escapeXml just escapes the basic XML entities. It depends
> on
> > what you're doing with the escaped content. Since I don't know the
> > environment you're working in, I can not tell which kinds of XSS are
> > possible. But I don't think that just using escapeXml is sufficient. My
> > feeling is that using a full blown XSS prevention library like ESAPI is a
> > better solution.
> >
> > Benedikt
> >
> >
> > >
> > > I am not very inclined to use ESAPI as XSS protection mechanism, hence
> I
> > am
> > > using escapeXml
> > >
> > >
> > > On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <britter@apache.org>
> > > wrote:
> > >
> > > > Hello Akash,
> > > >
> > > > escapeXml will just escape the basic XML entities. For example:
> > > >
> > > > "bread" & "butter" => &quot;bread&quot; &amp; &quot;butter&quot;.
> > > >
> > > > escapeXml10 and escapeXml11 are extended methods that will escape
> some
> > > more
> > > > characters that are illegal in XML.
> > > >
> > > > I don't understand what you mean by "how safe" can you give an
> example
> > > of a
> > > > malformed input and the result your expecting? Then I can tell you
> > > whether
> > > > it will be escaped ;-)
> > > >
> > > > Regards,
> > > > Benedikt
> > > >
> > > >
> > > > 2014-05-05 19:34 GMT+02:00 Akash Jain <akash.delhite@gmail.com>:
> > > >
> > > > > Martin,
> > > > >
> > > > > Can you tell me how safe is escapeXml function is ? Thats what I
> > > > originally
> > > > > wanted to know.
> > > > >
> > > > > Thanks.
> > > > >
> > > > >
> > > > > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mgainty@hotmail.com
> >
> > > > wrote:
> > > > >
> > > > > > if you didnt catch XSS Vector at Javascript as it was coming
in
> > from
> > > > > > Browser then you can write your own from:
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > > > > > private static void escapeJavaStyleString(Writer out, String
str,
> > > > boolean
> > > > > > escapeSingleQuote,
> > > > > >                boolean escapeForwardSlash) throws IOException
{{
> > > > > > //put XSS Vector attack mitigation  here
> > > > > > }
> > > > > >
> > > > > > //Also in a webapp insert the configuration for owasp csrf guard
> > > > > >     <context-param>
> > > > > >         <param-name>Owasp.CsrfGuard.Config</param-name>
> > > > > >
> > <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > > > > >     </context-param>
> > > > > > //and of course the filter
> > > > > >     <filter>
> > > > > >         <filter-name>CSRFGuard</filter-name>
> > > > > >
> > > > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > > > > >     </filter>
> > > > > > //and which extensions it will map to
> > > > > >     <!-- CSRF Filter Mapping -->
> > > > > >     <filter-mapping>
> > > > > >         <filter-name>CSRFGuard</filter-name>
> > > > > >         <url-pattern>*.jsf</url-pattern>
> > > > > >     </filter-mapping>
> > > > > >     <filter-mapping>
> > > > > >         <filter-name>CSRFGuard</filter-name>
> > > > > >         <url-pattern>*.jsp</url-pattern>
> > > > > >     </filter-mapping>
> > > > > >
> > > > > > //session listener
> > > > > >     <listener>
> > > > > >         <listener-class>
> > > > > >             org.owasp.csrfguard.CsrfGuardListener
> > > > > >         </listener-class>
> > > > > >     </listener>
> > > > > >
> > > > > >     <!-- CSRF JavaScript Servlet -->
> > > > > >     <servlet>
> > > > > >         <servlet-name>JavaScriptServlet</servlet-name>
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > > > > >         <init-param>
> > > > > >             <param-name>source-file</param-name>
> > > > > >
> > > > > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > > > > >         </init-param>
> > > > > >     </servlet>
> > > > > > //where Owasp.CsrfGuard.js would contain something like:
> > > > > > /** determine if uri/url points to valid domain * */
> > > > > >     function isValidUrl(src) {
> > > > > >         var result = false;
> > > > > >
> > > > > >         /** parse out domain to make sure it points to our own
*
> */
> > > > > >         if(src.substring(0, 7) == "http://" || src.substring(0,
> 8)
> > > ==
> > > > > > "https://") {
> > > > > >             var token = "://";
> > > > > >             var index = src.indexOf(token);
> > > > > >             var part = src.substring(index + token.length);
> > > > > >             var domain = "";
> > > > > >
> > > > > >             /** parse up to end, first slash, or anchor * */
> > > > > >             for(var i=0; i<part.length; i++) {
> > > > > >                 var character = part.charAt(i);
> > > > > >
> > > > > >                 if(character == '/' || character == ':' ||
> > character
> > > ==
> > > > > > '#') {
> > > > > >                     break;
> > > > > >                 } else {
> > > > > >                     domain += character;
> > > > > >                 }
> > > > > >             }
> > > > > >
> > > > > >             result = isValidDomain(document.domain, domain);
> > > > > >             /** explicitly skip anchors * */
> > > > > >         } else if(src.charAt(0) == '#') {
> > > > > >             result = false;
> > > > > >             /** ensure it is a local resource without a protocol
> *
> > */
> > > > > >         } else if(!src.startsWith("//") && (src.charAt(0)
== '/'
> ||
> > > > > > src.indexOf(':') == -1)) {
> > > > > >             result = true;
> > > > > >         }
> > > > > >
> > > > > >         return result;
> > > > > >     }
> > > > > >
> > > > > >
> > > > > > Mit freundlichen Grüßen
> > > > > >
> > > > > > Martin
> > > > > >
> > > > > > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > > > > > Subject: StringEscapeUtils.escapeXml & XX
> > > > > > > From: akash.delhite@gmail.com
> > > > > > > To: user@commons.apache.org
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > I want to know much secure is escapeXml
> > > > > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for
> > > preventing
> > > > > all
> > > > > > > XSS vectors ?
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > http://people.apache.org/~britter/
> > > > http://www.systemoutprintln.de/
> > > > http://twitter.com/BenediktRitter
> > > > http://github.com/britter
> > > >
> > >
> >
> >
> >
> > --
> > http://people.apache.org/~britter/
> > http://www.systemoutprintln.de/
> > http://twitter.com/BenediktRitter
> > http://github.com/britter
> >
>



-- 
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message