[Esapi-user] ricardozuasti.com - Stronger anti cross-site scripting (XSS) filter for Java web apps «

Kevin W. Wall kevin.w.wall at gmail.com
Fri Jul 6 22:42:11 UTC 2012

On Fri, Jul 6, 2012 at 5:51 PM, Jeff Williams
<jeff.williams at aspectsecurity.com> wrote:
> On July 06, 2012 5:44 PM, Luke Biddell wrote:
>> Bumped into this on my travels. Seems helpful from a blacklist perspective.
>> Whaddaya think?
>> http://ricardozuasti.com/2012/stronger-anti-cross-site-scripting-xss-filter-for-java-web-apps/
> I’m not crazy about this.  I suspect that <scri<script>pt> will sail
> through, but I didn’t look very closely.  I’d stick to making sure your UI
> components properly (contextually) encode untrusted data.

Only looked at this for about 30 seconds, but didn't they also need to
include things like "onclick" and "mouseover", etc.? I barely know any
JavaScript, but since those attributes can call JavaScript, it seems like
they should also be black-listed.

I guess it might be something to catch low hanging fruit, I always fear that
developers will find out it is there and thing the JavaEE filter will catch it
so they no longer have to code defensively.  So it might be better than
nothing, but not better than doing it properly. If your site's getting hacked
and you can't take it down to patch, it might buy you some time by using
it as a virtual patch.

Anyhow, am I wrong about the "onclick" and "mouseover"? There are probably
lots of others too.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Esapi-user mailing list