Avoid Cross Site Scripting

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • naveenkongati
    New Member
    • Oct 2008
    • 52
    #1

    Avoid Cross Site Scripting

    I am using Tomcat 6.2 Application Server. Applications designed in MVC2 Architecture (JSP,Servlet,DA O) are running on this server. Now on my feedback form someone posted like a script
    <script>alert(' test')</script>.
    Since 10 Applications are running on my Tomcat, I am expecting a solution related to patteren matching to avoid this at the web.xml level.
    Please help me out to resolve this problem.

    Thanks & Regards
    Tags: None
    • chaarmann
      Recognized Expert Contributor
      • Nov 2007
      • 785
      #2
      It's called "malicious code insertion" this "someone" was doing to detect dirty coding, and you are lucky that he was only testing instead of doing damage.
      You should learn from it to validate ALL your input properly.

      Especially if you write some text to a webpage, you should make sure that it is really only simple text and not some HTML.
      That means, check for and replace:
      - HTML-tags: replace all "<" and ">" in your output with "&lt" and "&gt"
      - HTML character entity references or numeric character references: replace all "&" with "&amp;", so that for example "company C&A" is not displayed as "company C" or company A&LtO" is not displayed as "company A<O" and so on.

      By the way, if you write the stuff to a database as SQL-statement, you should also replace single quotation marks, or Mr. "someone" will delete your whole database and steal all your passwords with a malicious SQL-code insertion ...

        Comment

        Previous template Next
        Working...