Every web application developer would have come across Cross Site Scripting security vulnerability.

If you have not heard yet, here is the wiki link- https://en.wikipedia.org/wiki/Cross-site_scripting

Below are few solutions for reference

If you are using any MVC frameworks (like spring, struts etc) and Tag libraries (like JSTL, Spring tags etc) to display dynamic data in the screen (JSP or ASP etc), out of the box framework does escape HTML characters so all the data elements displayed on the screen via these tag libraries are safe. I.e they will Not execute as script. So just review your code and make sure all user data is displayed on screen via tag library.

Note: Sometimes data coming from database or some trusted source can contain HTML characters to display superscript, trademark etc… so careful with those.

If you are using any custom MVC frameworks and require special coding then write a java function which can take a string value and replace any vulnerable script characters (following 5 characters) < > % ” and & in to there equavalent HTML characters.

  1. < should be replaced by &lt;
  2. > should be replaced by &gt;
  3. ” should be replaced by &quot;
  4. % can be replaced by &#37;
  5. & can be replaced by &am

Make a scriplet (java in JSP) call to this funtion for every user input data.

Share this post

Fixing Cross Site Scripting-XSS
Tagged on:     

Leave a Reply

Your email address will not be published. Required fields are marked *