commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Akash Jain <akash.delh...@gmail.com>
Subject Re: StringEscapeUtils.escapeXml & XX
Date Mon, 05 May 2014 17:34:45 GMT
Martin,

Can you tell me how safe is escapeXml function is ? Thats what I originally
wanted to know.

Thanks.


On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mgainty@hotmail.com> wrote:

> if you didnt catch XSS Vector at Javascript as it was coming in from
> Browser then you can write your own from:
>
>
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> private static void escapeJavaStyleString(Writer out, String str, boolean
> escapeSingleQuote,
>                boolean escapeForwardSlash) throws IOException {{
> //put XSS Vector attack mitigation  here
> }
>
> //Also in a webapp insert the configuration for owasp csrf guard
>     <context-param>
>         <param-name>Owasp.CsrfGuard.Config</param-name>
>         <param-value>config/Owasp.CsrfGuard.properties</param-value>
>     </context-param>
> //and of course the filter
>     <filter>
>         <filter-name>CSRFGuard</filter-name>
>         <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
>     </filter>
> //and which extensions it will map to
>     <!-- CSRF Filter Mapping -->
>     <filter-mapping>
>         <filter-name>CSRFGuard</filter-name>
>         <url-pattern>*.jsf</url-pattern>
>     </filter-mapping>
>     <filter-mapping>
>         <filter-name>CSRFGuard</filter-name>
>         <url-pattern>*.jsp</url-pattern>
>     </filter-mapping>
>
> //session listener
>     <listener>
>         <listener-class>
>             org.owasp.csrfguard.CsrfGuardListener
>         </listener-class>
>     </listener>
>
>     <!-- CSRF JavaScript Servlet -->
>     <servlet>
>         <servlet-name>JavaScriptServlet</servlet-name>
>
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
>         <init-param>
>             <param-name>source-file</param-name>
>             <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
>         </init-param>
>     </servlet>
> //where Owasp.CsrfGuard.js would contain something like:
> /** determine if uri/url points to valid domain * */
>     function isValidUrl(src) {
>         var result = false;
>
>         /** parse out domain to make sure it points to our own * */
>         if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
> "https://") {
>             var token = "://";
>             var index = src.indexOf(token);
>             var part = src.substring(index + token.length);
>             var domain = "";
>
>             /** parse up to end, first slash, or anchor * */
>             for(var i=0; i<part.length; i++) {
>                 var character = part.charAt(i);
>
>                 if(character == '/' || character == ':' || character ==
> '#') {
>                     break;
>                 } else {
>                     domain += character;
>                 }
>             }
>
>             result = isValidDomain(document.domain, domain);
>             /** explicitly skip anchors * */
>         } else if(src.charAt(0) == '#') {
>             result = false;
>             /** ensure it is a local resource without a protocol * */
>         } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> src.indexOf(':') == -1)) {
>             result = true;
>         }
>
>         return result;
>     }
>
>
> Mit freundlichen Grüßen
>
> Martin
>
> > Date: Mon, 5 May 2014 00:55:22 -0700
> > Subject: StringEscapeUtils.escapeXml & XX
> > From: akash.delhite@gmail.com
> > To: user@commons.apache.org
> >
> > Hi,
> >
> > I want to know much secure is escapeXml
> > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing all
> > XSS vectors ?
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message