[Esapi-user] XSS prevention

Kevin W. Wall kevin.w.wall at gmail.com
Thu Aug 24 00:39:10 UTC 2017


On Mon, Aug 21, 2017 at 5:34 AM, Uma Venkatakrishnan
<uma at akhilainfo.co.in> wrote:
> Hi All,
>
> I have a general query on xss prevention. To avoid xss attacks, I assume
> that whenever we have an input field in a jsp, we should escape it and show
> it to the user. i.e. all user enterable fields in a jsp should be escaped
> using any of the tag library functions.

Using the ESAPI tag library is probably the simplest way, but you
could also use JSP expression language and something like:

    ${ESAPI.encoder().encodeForHTMLAttributemyBean.name)}

(to build on your example).

The important thing is that you need to use the APPROPRIATE Encoder
method (or tag library method) that fits the specific context. See
<https://static.javadoc.io/org.owasp.esapi/esapi/2.1.0.1/org/owasp/esapi/Encoder.html>
for details.

> When we do that, the user sees the
> input filed value with escape sequences if he has entered any special
> characters. My user community says that this is ambiguous to the user.
>
> For instance , I have
> <form:input id="name" type="text" name="name" path="name"
> value="${fn:escapeXml(myBean.name)}" autocomplete="off"/>
>
>
> whenever user enters 'Mr & Mrs. Mathew' in the above field, it gets
> converted to 'Mr & Mrs Mathew' in the screen. This happens when an
> action button is clicked. My users are expecting to see only 'Mr & Mrs.
> Mathew' as they typed in. Is this expected or am I going wrong in the usage
> of xss prevention functions?

Well, for on thing, fn:escapeXml() is not the right method to use in
this context.
I'm not sure what tag library that is, but it's definitely NOT ESAPI's
tag library.

For ESAPI should be using something like
    esapi:encodeForHTMLAttribute(myBean.name)
here (where 'esapi:' has you picking up the ESAPI tag library, which
you can find under "configuration/META-INF/esapi.tld").

Although using the JSTL core

     <form:input id="name" type="text" name="name" path="name"
                      value="${c:out(myBean.name)}" autocomplete="off"/>

should really work fine in this context as well.

If you haven't already, I suggest that even before you start digging
into ESAPI, that you thoroughly review
"XSS Prevention Cheat Sheet"
<https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>

If you don't understand that, you aren't going to understand how to
apply XSS protection via ESAPI, the OWASP Java Encoder Project, or the
OWASP Java HTML Sanitizer Project.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


More information about the Esapi-user mailing list