XSS Validation

[Greg Akins <an...@gmail.com>]

I'm looking to do some general input santization on a Struts2 application.

Thinking that the OWASP validators might be a good place to start;
maybe along with a Struts CustomValidator

Has anyone done anything like this?  Does anyone have some advice for
providing "general" protection againts XSS and other types of
non-checked input vulnerabilities?

-- 
Greg Akins
http://twitter.com/akinsgre

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

RE: XSS Validation

["Altenhof, David Aron" <da...@iupui.edu>]

Greg-

There seems to be two issues that you've talked about. 

1) Input sanitization: OWASP doesn't directly address this, as I recall. They do have a canonicalization library that you can use to prevent funny character tricks that let characters sneak past your filtering, however. You should use this canonicalizer before filtering out bad characters such as angle brackets, ampersands, percent signs, etc. (I integrated this into a Web app using a plain old Java filter, and not using Struts2).
2) Validation, which can be used to prevent XSS. Once again, I don't think the OWASP library addresses this directly, however, you can certainly do your own rules in Struts2. In general, the stricter the better for any given field.

The main feature of OWASP seem to be *output encoding*, which can be customized for various contexts: HTML, attributes, JavaScript. Struts2 does some output encoding (for example, angle brackets and quotes), but not nearly as much as the OWASP library. 

I'd also be interested to find out if anyone has integrated S2 and OWASP output escaping. It would not be a simple integration, however, as you would have to change the encoding functions depending on the context. As I mentioned above, there's a different library for encoding user input depending on whether you're using it in attributes, html, or javascript. Perhaps you could create custom <s:property> type tags for each of these contexts.

-David 

-----Original Message-----
From: Greg Akins [mailto:angrygreg@gmail.com] 
Sent: Thursday, February 10, 2011 1:39 PM
To: user@struts.apache.org
Subject: XSS Validation

I'm looking to do some general input santization on a Struts2 application.

Thinking that the OWASP validators might be a good place to start; maybe along with a Struts CustomValidator

Has anyone done anything like this?  Does anyone have some advice for providing "general" protection againts XSS and other types of non-checked input vulnerabilities?

--
Greg Akins
http://twitter.com/akinsgre

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org