commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Akash Jain <akash.delh...@gmail.com>
Subject Re: StringEscapeUtils.escapeXml & XX
Date Thu, 08 May 2014 05:30:59 GMT
I appreciate your response.

However my main question is still not answered. Is
StringEscapeUtils.escapeXml not enough to prevent XSS ?


On Tue, May 6, 2014 at 10:23 PM, Benedikt Ritter <britter@apache.org> wrote:

> Hello Akash,
>
> may be this can help:
>
> http://stackoverflow.com/questions/10487648/prevent-xss-in-spring-mvc
>
> http://stackoverflow.com/questions/12538227/how-to-prevent-xss-attacks-with-springmvc-jackson-application
> http://jeevanpatil.wordpress.com/2011/07/22/prevention_of_xss/
>
> There is a lot n google about this ;-) Or you as at OWASP how to integrate
> the other systems with ESAPI that caused the problems.
>
> Regards,
> Benedikt
>
>
> 2014-05-07 2:23 GMT+02:00 Akash Jain <akash.delhite@gmail.com>:
>
> > ESAPI has given us some problems with other systems we interact with.
> >
> > I am using Java 7 with Spring 3.2 MVC in Tomcat 7.
> >
> >
> > On Tue, May 6, 2014 at 4:29 AM, Benedikt Ritter <britter@apache.org>
> > wrote:
> >
> > > Hello Akash,
> > >
> > >
> > > 2014-05-05 22:16 GMT+02:00 Akash Jain <akash.delhite@gmail.com>:
> > >
> > > > Hello Benedikt,
> > > >
> > > > Basically I am using it as XSS prevention mechanism. So I want to use
> > is
> > > it
> > > > safe enough ?
> > > >
> > >
> > > As I've said: escapeXml just escapes the basic XML entities. It depends
> > on
> > > what you're doing with the escaped content. Since I don't know the
> > > environment you're working in, I can not tell which kinds of XSS are
> > > possible. But I don't think that just using escapeXml is sufficient. My
> > > feeling is that using a full blown XSS prevention library like ESAPI
> is a
> > > better solution.
> > >
> > > Benedikt
> > >
> > >
> > > >
> > > > I am not very inclined to use ESAPI as XSS protection mechanism,
> hence
> > I
> > > am
> > > > using escapeXml
> > > >
> > > >
> > > > On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <britter@apache.org
> >
> > > > wrote:
> > > >
> > > > > Hello Akash,
> > > > >
> > > > > escapeXml will just escape the basic XML entities. For example:
> > > > >
> > > > > "bread" & "butter" => &quot;bread&quot; &amp;
&quot;butter&quot;.
> > > > >
> > > > > escapeXml10 and escapeXml11 are extended methods that will escape
> > some
> > > > more
> > > > > characters that are illegal in XML.
> > > > >
> > > > > I don't understand what you mean by "how safe" can you give an
> > example
> > > > of a
> > > > > malformed input and the result your expecting? Then I can tell you
> > > > whether
> > > > > it will be escaped ;-)
> > > > >
> > > > > Regards,
> > > > > Benedikt
> > > > >
> > > > >
> > > > > 2014-05-05 19:34 GMT+02:00 Akash Jain <akash.delhite@gmail.com>:
> > > > >
> > > > > > Martin,
> > > > > >
> > > > > > Can you tell me how safe is escapeXml function is ? Thats what
I
> > > > > originally
> > > > > > wanted to know.
> > > > > >
> > > > > > Thanks.
> > > > > >
> > > > > >
> > > > > > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <
> mgainty@hotmail.com
> > >
> > > > > wrote:
> > > > > >
> > > > > > > if you didnt catch XSS Vector at Javascript as it was coming
in
> > > from
> > > > > > > Browser then you can write your own from:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > > > > > > private static void escapeJavaStyleString(Writer out, String
> str,
> > > > > boolean
> > > > > > > escapeSingleQuote,
> > > > > > >                boolean escapeForwardSlash) throws IOException
> {{
> > > > > > > //put XSS Vector attack mitigation  here
> > > > > > > }
> > > > > > >
> > > > > > > //Also in a webapp insert the configuration for owasp csrf
> guard
> > > > > > >     <context-param>
> > > > > > >         <param-name>Owasp.CsrfGuard.Config</param-name>
> > > > > > >
> > > <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > > > > > >     </context-param>
> > > > > > > //and of course the filter
> > > > > > >     <filter>
> > > > > > >         <filter-name>CSRFGuard</filter-name>
> > > > > > >
> > > > > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > > > > > >     </filter>
> > > > > > > //and which extensions it will map to
> > > > > > >     <!-- CSRF Filter Mapping -->
> > > > > > >     <filter-mapping>
> > > > > > >         <filter-name>CSRFGuard</filter-name>
> > > > > > >         <url-pattern>*.jsf</url-pattern>
> > > > > > >     </filter-mapping>
> > > > > > >     <filter-mapping>
> > > > > > >         <filter-name>CSRFGuard</filter-name>
> > > > > > >         <url-pattern>*.jsp</url-pattern>
> > > > > > >     </filter-mapping>
> > > > > > >
> > > > > > > //session listener
> > > > > > >     <listener>
> > > > > > >         <listener-class>
> > > > > > >             org.owasp.csrfguard.CsrfGuardListener
> > > > > > >         </listener-class>
> > > > > > >     </listener>
> > > > > > >
> > > > > > >     <!-- CSRF JavaScript Servlet -->
> > > > > > >     <servlet>
> > > > > > >         <servlet-name>JavaScriptServlet</servlet-name>
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > > > > > >         <init-param>
> > > > > > >             <param-name>source-file</param-name>
> > > > > > >
> > > > > > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > > > > > >         </init-param>
> > > > > > >     </servlet>
> > > > > > > //where Owasp.CsrfGuard.js would contain something like:
> > > > > > > /** determine if uri/url points to valid domain * */
> > > > > > >     function isValidUrl(src) {
> > > > > > >         var result = false;
> > > > > > >
> > > > > > >         /** parse out domain to make sure it points to
our own
> *
> > */
> > > > > > >         if(src.substring(0, 7) == "http://" ||
> src.substring(0,
> > 8)
> > > > ==
> > > > > > > "https://") {
> > > > > > >             var token = "://";
> > > > > > >             var index = src.indexOf(token);
> > > > > > >             var part = src.substring(index + token.length);
> > > > > > >             var domain = "";
> > > > > > >
> > > > > > >             /** parse up to end, first slash, or anchor
* */
> > > > > > >             for(var i=0; i<part.length; i++) {
> > > > > > >                 var character = part.charAt(i);
> > > > > > >
> > > > > > >                 if(character == '/' || character == ':'
||
> > > character
> > > > ==
> > > > > > > '#') {
> > > > > > >                     break;
> > > > > > >                 } else {
> > > > > > >                     domain += character;
> > > > > > >                 }
> > > > > > >             }
> > > > > > >
> > > > > > >             result = isValidDomain(document.domain, domain);
> > > > > > >             /** explicitly skip anchors * */
> > > > > > >         } else if(src.charAt(0) == '#') {
> > > > > > >             result = false;
> > > > > > >             /** ensure it is a local resource without a
> protocol
> > *
> > > */
> > > > > > >         } else if(!src.startsWith("//") && (src.charAt(0)
==
> '/'
> > ||
> > > > > > > src.indexOf(':') == -1)) {
> > > > > > >             result = true;
> > > > > > >         }
> > > > > > >
> > > > > > >         return result;
> > > > > > >     }
> > > > > > >
> > > > > > >
> > > > > > > Mit freundlichen Grüßen
> > > > > > >
> > > > > > > Martin
> > > > > > >
> > > > > > > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > > > > > > Subject: StringEscapeUtils.escapeXml & XX
> > > > > > > > From: akash.delhite@gmail.com
> > > > > > > > To: user@commons.apache.org
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > I want to know much secure is escapeXml
> > > > > > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml)
for
> > > > preventing
> > > > > > all
> > > > > > > > XSS vectors ?
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > http://people.apache.org/~britter/
> > > > > http://www.systemoutprintln.de/
> > > > > http://twitter.com/BenediktRitter
> > > > > http://github.com/britter
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > http://people.apache.org/~britter/
> > > http://www.systemoutprintln.de/
> > > http://twitter.com/BenediktRitter
> > > http://github.com/britter
> > >
> >
>
>
>
> --
> http://people.apache.org/~britter/
> http://www.systemoutprintln.de/
> http://twitter.com/BenediktRitter
> http://github.com/britter
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message