commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Akash Jain <akash.delh...@gmail.com>
Subject Re: StringEscapeUtils.escapeXml & XX
Date Mon, 05 May 2014 20:16:51 GMT
Hello Benedikt,

Basically I am using it as XSS prevention mechanism. So I want to use is it
safe enough ?

I am not very inclined to use ESAPI as XSS protection mechanism, hence I am
using escapeXml


On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <britter@apache.org> wrote:

> Hello Akash,
>
> escapeXml will just escape the basic XML entities. For example:
>
> "bread" & "butter" => &quot;bread&quot; &amp; &quot;butter&quot;.
>
> escapeXml10 and escapeXml11 are extended methods that will escape some more
> characters that are illegal in XML.
>
> I don't understand what you mean by "how safe" can you give an example of a
> malformed input and the result your expecting? Then I can tell you whether
> it will be escaped ;-)
>
> Regards,
> Benedikt
>
>
> 2014-05-05 19:34 GMT+02:00 Akash Jain <akash.delhite@gmail.com>:
>
> > Martin,
> >
> > Can you tell me how safe is escapeXml function is ? Thats what I
> originally
> > wanted to know.
> >
> > Thanks.
> >
> >
> > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mgainty@hotmail.com>
> wrote:
> >
> > > if you didnt catch XSS Vector at Javascript as it was coming in from
> > > Browser then you can write your own from:
> > >
> > >
> > >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > > private static void escapeJavaStyleString(Writer out, String str,
> boolean
> > > escapeSingleQuote,
> > >                boolean escapeForwardSlash) throws IOException {{
> > > //put XSS Vector attack mitigation  here
> > > }
> > >
> > > //Also in a webapp insert the configuration for owasp csrf guard
> > >     <context-param>
> > >         <param-name>Owasp.CsrfGuard.Config</param-name>
> > >         <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > >     </context-param>
> > > //and of course the filter
> > >     <filter>
> > >         <filter-name>CSRFGuard</filter-name>
> > >
> <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > >     </filter>
> > > //and which extensions it will map to
> > >     <!-- CSRF Filter Mapping -->
> > >     <filter-mapping>
> > >         <filter-name>CSRFGuard</filter-name>
> > >         <url-pattern>*.jsf</url-pattern>
> > >     </filter-mapping>
> > >     <filter-mapping>
> > >         <filter-name>CSRFGuard</filter-name>
> > >         <url-pattern>*.jsp</url-pattern>
> > >     </filter-mapping>
> > >
> > > //session listener
> > >     <listener>
> > >         <listener-class>
> > >             org.owasp.csrfguard.CsrfGuardListener
> > >         </listener-class>
> > >     </listener>
> > >
> > >     <!-- CSRF JavaScript Servlet -->
> > >     <servlet>
> > >         <servlet-name>JavaScriptServlet</servlet-name>
> > >
> > >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > >         <init-param>
> > >             <param-name>source-file</param-name>
> > >
> > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > >         </init-param>
> > >     </servlet>
> > > //where Owasp.CsrfGuard.js would contain something like:
> > > /** determine if uri/url points to valid domain * */
> > >     function isValidUrl(src) {
> > >         var result = false;
> > >
> > >         /** parse out domain to make sure it points to our own * */
> > >         if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
> > > "https://") {
> > >             var token = "://";
> > >             var index = src.indexOf(token);
> > >             var part = src.substring(index + token.length);
> > >             var domain = "";
> > >
> > >             /** parse up to end, first slash, or anchor * */
> > >             for(var i=0; i<part.length; i++) {
> > >                 var character = part.charAt(i);
> > >
> > >                 if(character == '/' || character == ':' || character ==
> > > '#') {
> > >                     break;
> > >                 } else {
> > >                     domain += character;
> > >                 }
> > >             }
> > >
> > >             result = isValidDomain(document.domain, domain);
> > >             /** explicitly skip anchors * */
> > >         } else if(src.charAt(0) == '#') {
> > >             result = false;
> > >             /** ensure it is a local resource without a protocol * */
> > >         } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> > > src.indexOf(':') == -1)) {
> > >             result = true;
> > >         }
> > >
> > >         return result;
> > >     }
> > >
> > >
> > > Mit freundlichen Grüßen
> > >
> > > Martin
> > >
> > > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > > Subject: StringEscapeUtils.escapeXml & XX
> > > > From: akash.delhite@gmail.com
> > > > To: user@commons.apache.org
> > > >
> > > > Hi,
> > > >
> > > > I want to know much secure is escapeXml
> > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing
> > all
> > > > XSS vectors ?
> > >
> > >
> >
>
>
>
> --
> http://people.apache.org/~britter/
> http://www.systemoutprintln.de/
> http://twitter.com/BenediktRitter
> http://github.com/britter
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message