You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Akash Jain <ak...@gmail.com> on 2014/05/05 09:55:22 UTC
StringEscapeUtils.escapeXml & XX
Hi,
I want to know much secure is escapeXml
(org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing all
XSS vectors ?
Re: StringEscapeUtils.escapeXml & XX
Posted by Akash Jain <ak...@gmail.com>.
I appreciate your response.
However my main question is still not answered. Is
StringEscapeUtils.escapeXml not enough to prevent XSS ?
On Tue, May 6, 2014 at 10:23 PM, Benedikt Ritter <br...@apache.org> wrote:
> Hello Akash,
>
> may be this can help:
>
> http://stackoverflow.com/questions/10487648/prevent-xss-in-spring-mvc
>
> http://stackoverflow.com/questions/12538227/how-to-prevent-xss-attacks-with-springmvc-jackson-application
> http://jeevanpatil.wordpress.com/2011/07/22/prevention_of_xss/
>
> There is a lot n google about this ;-) Or you as at OWASP how to integrate
> the other systems with ESAPI that caused the problems.
>
> Regards,
> Benedikt
>
>
> 2014-05-07 2:23 GMT+02:00 Akash Jain <ak...@gmail.com>:
>
> > ESAPI has given us some problems with other systems we interact with.
> >
> > I am using Java 7 with Spring 3.2 MVC in Tomcat 7.
> >
> >
> > On Tue, May 6, 2014 at 4:29 AM, Benedikt Ritter <br...@apache.org>
> > wrote:
> >
> > > Hello Akash,
> > >
> > >
> > > 2014-05-05 22:16 GMT+02:00 Akash Jain <ak...@gmail.com>:
> > >
> > > > Hello Benedikt,
> > > >
> > > > Basically I am using it as XSS prevention mechanism. So I want to use
> > is
> > > it
> > > > safe enough ?
> > > >
> > >
> > > As I've said: escapeXml just escapes the basic XML entities. It depends
> > on
> > > what you're doing with the escaped content. Since I don't know the
> > > environment you're working in, I can not tell which kinds of XSS are
> > > possible. But I don't think that just using escapeXml is sufficient. My
> > > feeling is that using a full blown XSS prevention library like ESAPI
> is a
> > > better solution.
> > >
> > > Benedikt
> > >
> > >
> > > >
> > > > I am not very inclined to use ESAPI as XSS protection mechanism,
> hence
> > I
> > > am
> > > > using escapeXml
> > > >
> > > >
> > > > On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <britter@apache.org
> >
> > > > wrote:
> > > >
> > > > > Hello Akash,
> > > > >
> > > > > escapeXml will just escape the basic XML entities. For example:
> > > > >
> > > > > "bread" & "butter" => "bread" & "butter".
> > > > >
> > > > > escapeXml10 and escapeXml11 are extended methods that will escape
> > some
> > > > more
> > > > > characters that are illegal in XML.
> > > > >
> > > > > I don't understand what you mean by "how safe" can you give an
> > example
> > > > of a
> > > > > malformed input and the result your expecting? Then I can tell you
> > > > whether
> > > > > it will be escaped ;-)
> > > > >
> > > > > Regards,
> > > > > Benedikt
> > > > >
> > > > >
> > > > > 2014-05-05 19:34 GMT+02:00 Akash Jain <ak...@gmail.com>:
> > > > >
> > > > > > Martin,
> > > > > >
> > > > > > Can you tell me how safe is escapeXml function is ? Thats what I
> > > > > originally
> > > > > > wanted to know.
> > > > > >
> > > > > > Thanks.
> > > > > >
> > > > > >
> > > > > > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <
> mgainty@hotmail.com
> > >
> > > > > wrote:
> > > > > >
> > > > > > > if you didnt catch XSS Vector at Javascript as it was coming in
> > > from
> > > > > > > Browser then you can write your own from:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > > > > > > private static void escapeJavaStyleString(Writer out, String
> str,
> > > > > boolean
> > > > > > > escapeSingleQuote,
> > > > > > > boolean escapeForwardSlash) throws IOException
> {{
> > > > > > > //put XSS Vector attack mitigation here
> > > > > > > }
> > > > > > >
> > > > > > > //Also in a webapp insert the configuration for owasp csrf
> guard
> > > > > > > <context-param>
> > > > > > > <param-name>Owasp.CsrfGuard.Config</param-name>
> > > > > > >
> > > <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > > > > > > </context-param>
> > > > > > > //and of course the filter
> > > > > > > <filter>
> > > > > > > <filter-name>CSRFGuard</filter-name>
> > > > > > >
> > > > > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > > > > > > </filter>
> > > > > > > //and which extensions it will map to
> > > > > > > <!-- CSRF Filter Mapping -->
> > > > > > > <filter-mapping>
> > > > > > > <filter-name>CSRFGuard</filter-name>
> > > > > > > <url-pattern>*.jsf</url-pattern>
> > > > > > > </filter-mapping>
> > > > > > > <filter-mapping>
> > > > > > > <filter-name>CSRFGuard</filter-name>
> > > > > > > <url-pattern>*.jsp</url-pattern>
> > > > > > > </filter-mapping>
> > > > > > >
> > > > > > > //session listener
> > > > > > > <listener>
> > > > > > > <listener-class>
> > > > > > > org.owasp.csrfguard.CsrfGuardListener
> > > > > > > </listener-class>
> > > > > > > </listener>
> > > > > > >
> > > > > > > <!-- CSRF JavaScript Servlet -->
> > > > > > > <servlet>
> > > > > > > <servlet-name>JavaScriptServlet</servlet-name>
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > > > > > > <init-param>
> > > > > > > <param-name>source-file</param-name>
> > > > > > >
> > > > > > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > > > > > > </init-param>
> > > > > > > </servlet>
> > > > > > > //where Owasp.CsrfGuard.js would contain something like:
> > > > > > > /** determine if uri/url points to valid domain * */
> > > > > > > function isValidUrl(src) {
> > > > > > > var result = false;
> > > > > > >
> > > > > > > /** parse out domain to make sure it points to our own
> *
> > */
> > > > > > > if(src.substring(0, 7) == "http://" ||
> src.substring(0,
> > 8)
> > > > ==
> > > > > > > "https://") {
> > > > > > > var token = "://";
> > > > > > > var index = src.indexOf(token);
> > > > > > > var part = src.substring(index + token.length);
> > > > > > > var domain = "";
> > > > > > >
> > > > > > > /** parse up to end, first slash, or anchor * */
> > > > > > > for(var i=0; i<part.length; i++) {
> > > > > > > var character = part.charAt(i);
> > > > > > >
> > > > > > > if(character == '/' || character == ':' ||
> > > character
> > > > ==
> > > > > > > '#') {
> > > > > > > break;
> > > > > > > } else {
> > > > > > > domain += character;
> > > > > > > }
> > > > > > > }
> > > > > > >
> > > > > > > result = isValidDomain(document.domain, domain);
> > > > > > > /** explicitly skip anchors * */
> > > > > > > } else if(src.charAt(0) == '#') {
> > > > > > > result = false;
> > > > > > > /** ensure it is a local resource without a
> protocol
> > *
> > > */
> > > > > > > } else if(!src.startsWith("//") && (src.charAt(0) ==
> '/'
> > ||
> > > > > > > src.indexOf(':') == -1)) {
> > > > > > > result = true;
> > > > > > > }
> > > > > > >
> > > > > > > return result;
> > > > > > > }
> > > > > > >
> > > > > > >
> > > > > > > Mit freundlichen Grüßen
> > > > > > >
> > > > > > > Martin
> > > > > > >
> > > > > > > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > > > > > > Subject: StringEscapeUtils.escapeXml & XX
> > > > > > > > From: akash.delhite@gmail.com
> > > > > > > > To: user@commons.apache.org
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > I want to know much secure is escapeXml
> > > > > > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for
> > > > preventing
> > > > > > all
> > > > > > > > XSS vectors ?
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > http://people.apache.org/~britter/
> > > > > http://www.systemoutprintln.de/
> > > > > http://twitter.com/BenediktRitter
> > > > > http://github.com/britter
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > http://people.apache.org/~britter/
> > > http://www.systemoutprintln.de/
> > > http://twitter.com/BenediktRitter
> > > http://github.com/britter
> > >
> >
>
>
>
> --
> http://people.apache.org/~britter/
> http://www.systemoutprintln.de/
> http://twitter.com/BenediktRitter
> http://github.com/britter
>
Re: StringEscapeUtils.escapeXml & XX
Posted by Benedikt Ritter <br...@apache.org>.
Hello Akash,
may be this can help:
http://stackoverflow.com/questions/10487648/prevent-xss-in-spring-mvc
http://stackoverflow.com/questions/12538227/how-to-prevent-xss-attacks-with-springmvc-jackson-application
http://jeevanpatil.wordpress.com/2011/07/22/prevention_of_xss/
There is a lot n google about this ;-) Or you as at OWASP how to integrate
the other systems with ESAPI that caused the problems.
Regards,
Benedikt
2014-05-07 2:23 GMT+02:00 Akash Jain <ak...@gmail.com>:
> ESAPI has given us some problems with other systems we interact with.
>
> I am using Java 7 with Spring 3.2 MVC in Tomcat 7.
>
>
> On Tue, May 6, 2014 at 4:29 AM, Benedikt Ritter <br...@apache.org>
> wrote:
>
> > Hello Akash,
> >
> >
> > 2014-05-05 22:16 GMT+02:00 Akash Jain <ak...@gmail.com>:
> >
> > > Hello Benedikt,
> > >
> > > Basically I am using it as XSS prevention mechanism. So I want to use
> is
> > it
> > > safe enough ?
> > >
> >
> > As I've said: escapeXml just escapes the basic XML entities. It depends
> on
> > what you're doing with the escaped content. Since I don't know the
> > environment you're working in, I can not tell which kinds of XSS are
> > possible. But I don't think that just using escapeXml is sufficient. My
> > feeling is that using a full blown XSS prevention library like ESAPI is a
> > better solution.
> >
> > Benedikt
> >
> >
> > >
> > > I am not very inclined to use ESAPI as XSS protection mechanism, hence
> I
> > am
> > > using escapeXml
> > >
> > >
> > > On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <br...@apache.org>
> > > wrote:
> > >
> > > > Hello Akash,
> > > >
> > > > escapeXml will just escape the basic XML entities. For example:
> > > >
> > > > "bread" & "butter" => "bread" & "butter".
> > > >
> > > > escapeXml10 and escapeXml11 are extended methods that will escape
> some
> > > more
> > > > characters that are illegal in XML.
> > > >
> > > > I don't understand what you mean by "how safe" can you give an
> example
> > > of a
> > > > malformed input and the result your expecting? Then I can tell you
> > > whether
> > > > it will be escaped ;-)
> > > >
> > > > Regards,
> > > > Benedikt
> > > >
> > > >
> > > > 2014-05-05 19:34 GMT+02:00 Akash Jain <ak...@gmail.com>:
> > > >
> > > > > Martin,
> > > > >
> > > > > Can you tell me how safe is escapeXml function is ? Thats what I
> > > > originally
> > > > > wanted to know.
> > > > >
> > > > > Thanks.
> > > > >
> > > > >
> > > > > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mgainty@hotmail.com
> >
> > > > wrote:
> > > > >
> > > > > > if you didnt catch XSS Vector at Javascript as it was coming in
> > from
> > > > > > Browser then you can write your own from:
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > > > > > private static void escapeJavaStyleString(Writer out, String str,
> > > > boolean
> > > > > > escapeSingleQuote,
> > > > > > boolean escapeForwardSlash) throws IOException {{
> > > > > > //put XSS Vector attack mitigation here
> > > > > > }
> > > > > >
> > > > > > //Also in a webapp insert the configuration for owasp csrf guard
> > > > > > <context-param>
> > > > > > <param-name>Owasp.CsrfGuard.Config</param-name>
> > > > > >
> > <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > > > > > </context-param>
> > > > > > //and of course the filter
> > > > > > <filter>
> > > > > > <filter-name>CSRFGuard</filter-name>
> > > > > >
> > > > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > > > > > </filter>
> > > > > > //and which extensions it will map to
> > > > > > <!-- CSRF Filter Mapping -->
> > > > > > <filter-mapping>
> > > > > > <filter-name>CSRFGuard</filter-name>
> > > > > > <url-pattern>*.jsf</url-pattern>
> > > > > > </filter-mapping>
> > > > > > <filter-mapping>
> > > > > > <filter-name>CSRFGuard</filter-name>
> > > > > > <url-pattern>*.jsp</url-pattern>
> > > > > > </filter-mapping>
> > > > > >
> > > > > > //session listener
> > > > > > <listener>
> > > > > > <listener-class>
> > > > > > org.owasp.csrfguard.CsrfGuardListener
> > > > > > </listener-class>
> > > > > > </listener>
> > > > > >
> > > > > > <!-- CSRF JavaScript Servlet -->
> > > > > > <servlet>
> > > > > > <servlet-name>JavaScriptServlet</servlet-name>
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > > > > > <init-param>
> > > > > > <param-name>source-file</param-name>
> > > > > >
> > > > > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > > > > > </init-param>
> > > > > > </servlet>
> > > > > > //where Owasp.CsrfGuard.js would contain something like:
> > > > > > /** determine if uri/url points to valid domain * */
> > > > > > function isValidUrl(src) {
> > > > > > var result = false;
> > > > > >
> > > > > > /** parse out domain to make sure it points to our own *
> */
> > > > > > if(src.substring(0, 7) == "http://" || src.substring(0,
> 8)
> > > ==
> > > > > > "https://") {
> > > > > > var token = "://";
> > > > > > var index = src.indexOf(token);
> > > > > > var part = src.substring(index + token.length);
> > > > > > var domain = "";
> > > > > >
> > > > > > /** parse up to end, first slash, or anchor * */
> > > > > > for(var i=0; i<part.length; i++) {
> > > > > > var character = part.charAt(i);
> > > > > >
> > > > > > if(character == '/' || character == ':' ||
> > character
> > > ==
> > > > > > '#') {
> > > > > > break;
> > > > > > } else {
> > > > > > domain += character;
> > > > > > }
> > > > > > }
> > > > > >
> > > > > > result = isValidDomain(document.domain, domain);
> > > > > > /** explicitly skip anchors * */
> > > > > > } else if(src.charAt(0) == '#') {
> > > > > > result = false;
> > > > > > /** ensure it is a local resource without a protocol
> *
> > */
> > > > > > } else if(!src.startsWith("//") && (src.charAt(0) == '/'
> ||
> > > > > > src.indexOf(':') == -1)) {
> > > > > > result = true;
> > > > > > }
> > > > > >
> > > > > > return result;
> > > > > > }
> > > > > >
> > > > > >
> > > > > > Mit freundlichen Grüßen
> > > > > >
> > > > > > Martin
> > > > > >
> > > > > > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > > > > > Subject: StringEscapeUtils.escapeXml & XX
> > > > > > > From: akash.delhite@gmail.com
> > > > > > > To: user@commons.apache.org
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > I want to know much secure is escapeXml
> > > > > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for
> > > preventing
> > > > > all
> > > > > > > XSS vectors ?
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > http://people.apache.org/~britter/
> > > > http://www.systemoutprintln.de/
> > > > http://twitter.com/BenediktRitter
> > > > http://github.com/britter
> > > >
> > >
> >
> >
> >
> > --
> > http://people.apache.org/~britter/
> > http://www.systemoutprintln.de/
> > http://twitter.com/BenediktRitter
> > http://github.com/britter
> >
>
--
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter
Re: StringEscapeUtils.escapeXml & XX
Posted by Akash Jain <ak...@gmail.com>.
ESAPI has given us some problems with other systems we interact with.
I am using Java 7 with Spring 3.2 MVC in Tomcat 7.
On Tue, May 6, 2014 at 4:29 AM, Benedikt Ritter <br...@apache.org> wrote:
> Hello Akash,
>
>
> 2014-05-05 22:16 GMT+02:00 Akash Jain <ak...@gmail.com>:
>
> > Hello Benedikt,
> >
> > Basically I am using it as XSS prevention mechanism. So I want to use is
> it
> > safe enough ?
> >
>
> As I've said: escapeXml just escapes the basic XML entities. It depends on
> what you're doing with the escaped content. Since I don't know the
> environment you're working in, I can not tell which kinds of XSS are
> possible. But I don't think that just using escapeXml is sufficient. My
> feeling is that using a full blown XSS prevention library like ESAPI is a
> better solution.
>
> Benedikt
>
>
> >
> > I am not very inclined to use ESAPI as XSS protection mechanism, hence I
> am
> > using escapeXml
> >
> >
> > On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <br...@apache.org>
> > wrote:
> >
> > > Hello Akash,
> > >
> > > escapeXml will just escape the basic XML entities. For example:
> > >
> > > "bread" & "butter" => "bread" & "butter".
> > >
> > > escapeXml10 and escapeXml11 are extended methods that will escape some
> > more
> > > characters that are illegal in XML.
> > >
> > > I don't understand what you mean by "how safe" can you give an example
> > of a
> > > malformed input and the result your expecting? Then I can tell you
> > whether
> > > it will be escaped ;-)
> > >
> > > Regards,
> > > Benedikt
> > >
> > >
> > > 2014-05-05 19:34 GMT+02:00 Akash Jain <ak...@gmail.com>:
> > >
> > > > Martin,
> > > >
> > > > Can you tell me how safe is escapeXml function is ? Thats what I
> > > originally
> > > > wanted to know.
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mg...@hotmail.com>
> > > wrote:
> > > >
> > > > > if you didnt catch XSS Vector at Javascript as it was coming in
> from
> > > > > Browser then you can write your own from:
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > > > > private static void escapeJavaStyleString(Writer out, String str,
> > > boolean
> > > > > escapeSingleQuote,
> > > > > boolean escapeForwardSlash) throws IOException {{
> > > > > //put XSS Vector attack mitigation here
> > > > > }
> > > > >
> > > > > //Also in a webapp insert the configuration for owasp csrf guard
> > > > > <context-param>
> > > > > <param-name>Owasp.CsrfGuard.Config</param-name>
> > > > >
> <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > > > > </context-param>
> > > > > //and of course the filter
> > > > > <filter>
> > > > > <filter-name>CSRFGuard</filter-name>
> > > > >
> > > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > > > > </filter>
> > > > > //and which extensions it will map to
> > > > > <!-- CSRF Filter Mapping -->
> > > > > <filter-mapping>
> > > > > <filter-name>CSRFGuard</filter-name>
> > > > > <url-pattern>*.jsf</url-pattern>
> > > > > </filter-mapping>
> > > > > <filter-mapping>
> > > > > <filter-name>CSRFGuard</filter-name>
> > > > > <url-pattern>*.jsp</url-pattern>
> > > > > </filter-mapping>
> > > > >
> > > > > //session listener
> > > > > <listener>
> > > > > <listener-class>
> > > > > org.owasp.csrfguard.CsrfGuardListener
> > > > > </listener-class>
> > > > > </listener>
> > > > >
> > > > > <!-- CSRF JavaScript Servlet -->
> > > > > <servlet>
> > > > > <servlet-name>JavaScriptServlet</servlet-name>
> > > > >
> > > > >
> > > >
> > >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > > > > <init-param>
> > > > > <param-name>source-file</param-name>
> > > > >
> > > > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > > > > </init-param>
> > > > > </servlet>
> > > > > //where Owasp.CsrfGuard.js would contain something like:
> > > > > /** determine if uri/url points to valid domain * */
> > > > > function isValidUrl(src) {
> > > > > var result = false;
> > > > >
> > > > > /** parse out domain to make sure it points to our own * */
> > > > > if(src.substring(0, 7) == "http://" || src.substring(0, 8)
> > ==
> > > > > "https://") {
> > > > > var token = "://";
> > > > > var index = src.indexOf(token);
> > > > > var part = src.substring(index + token.length);
> > > > > var domain = "";
> > > > >
> > > > > /** parse up to end, first slash, or anchor * */
> > > > > for(var i=0; i<part.length; i++) {
> > > > > var character = part.charAt(i);
> > > > >
> > > > > if(character == '/' || character == ':' ||
> character
> > ==
> > > > > '#') {
> > > > > break;
> > > > > } else {
> > > > > domain += character;
> > > > > }
> > > > > }
> > > > >
> > > > > result = isValidDomain(document.domain, domain);
> > > > > /** explicitly skip anchors * */
> > > > > } else if(src.charAt(0) == '#') {
> > > > > result = false;
> > > > > /** ensure it is a local resource without a protocol *
> */
> > > > > } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> > > > > src.indexOf(':') == -1)) {
> > > > > result = true;
> > > > > }
> > > > >
> > > > > return result;
> > > > > }
> > > > >
> > > > >
> > > > > Mit freundlichen Grüßen
> > > > >
> > > > > Martin
> > > > >
> > > > > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > > > > Subject: StringEscapeUtils.escapeXml & XX
> > > > > > From: akash.delhite@gmail.com
> > > > > > To: user@commons.apache.org
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I want to know much secure is escapeXml
> > > > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for
> > preventing
> > > > all
> > > > > > XSS vectors ?
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > http://people.apache.org/~britter/
> > > http://www.systemoutprintln.de/
> > > http://twitter.com/BenediktRitter
> > > http://github.com/britter
> > >
> >
>
>
>
> --
> http://people.apache.org/~britter/
> http://www.systemoutprintln.de/
> http://twitter.com/BenediktRitter
> http://github.com/britter
>
Re: StringEscapeUtils.escapeXml & XX
Posted by Benedikt Ritter <br...@apache.org>.
Hello Akash,
2014-05-05 22:16 GMT+02:00 Akash Jain <ak...@gmail.com>:
> Hello Benedikt,
>
> Basically I am using it as XSS prevention mechanism. So I want to use is it
> safe enough ?
>
As I've said: escapeXml just escapes the basic XML entities. It depends on
what you're doing with the escaped content. Since I don't know the
environment you're working in, I can not tell which kinds of XSS are
possible. But I don't think that just using escapeXml is sufficient. My
feeling is that using a full blown XSS prevention library like ESAPI is a
better solution.
Benedikt
>
> I am not very inclined to use ESAPI as XSS protection mechanism, hence I am
> using escapeXml
>
>
> On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <br...@apache.org>
> wrote:
>
> > Hello Akash,
> >
> > escapeXml will just escape the basic XML entities. For example:
> >
> > "bread" & "butter" => "bread" & "butter".
> >
> > escapeXml10 and escapeXml11 are extended methods that will escape some
> more
> > characters that are illegal in XML.
> >
> > I don't understand what you mean by "how safe" can you give an example
> of a
> > malformed input and the result your expecting? Then I can tell you
> whether
> > it will be escaped ;-)
> >
> > Regards,
> > Benedikt
> >
> >
> > 2014-05-05 19:34 GMT+02:00 Akash Jain <ak...@gmail.com>:
> >
> > > Martin,
> > >
> > > Can you tell me how safe is escapeXml function is ? Thats what I
> > originally
> > > wanted to know.
> > >
> > > Thanks.
> > >
> > >
> > > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mg...@hotmail.com>
> > wrote:
> > >
> > > > if you didnt catch XSS Vector at Javascript as it was coming in from
> > > > Browser then you can write your own from:
> > > >
> > > >
> > > >
> > >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > > > private static void escapeJavaStyleString(Writer out, String str,
> > boolean
> > > > escapeSingleQuote,
> > > > boolean escapeForwardSlash) throws IOException {{
> > > > //put XSS Vector attack mitigation here
> > > > }
> > > >
> > > > //Also in a webapp insert the configuration for owasp csrf guard
> > > > <context-param>
> > > > <param-name>Owasp.CsrfGuard.Config</param-name>
> > > > <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > > > </context-param>
> > > > //and of course the filter
> > > > <filter>
> > > > <filter-name>CSRFGuard</filter-name>
> > > >
> > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > > > </filter>
> > > > //and which extensions it will map to
> > > > <!-- CSRF Filter Mapping -->
> > > > <filter-mapping>
> > > > <filter-name>CSRFGuard</filter-name>
> > > > <url-pattern>*.jsf</url-pattern>
> > > > </filter-mapping>
> > > > <filter-mapping>
> > > > <filter-name>CSRFGuard</filter-name>
> > > > <url-pattern>*.jsp</url-pattern>
> > > > </filter-mapping>
> > > >
> > > > //session listener
> > > > <listener>
> > > > <listener-class>
> > > > org.owasp.csrfguard.CsrfGuardListener
> > > > </listener-class>
> > > > </listener>
> > > >
> > > > <!-- CSRF JavaScript Servlet -->
> > > > <servlet>
> > > > <servlet-name>JavaScriptServlet</servlet-name>
> > > >
> > > >
> > >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > > > <init-param>
> > > > <param-name>source-file</param-name>
> > > >
> > > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > > > </init-param>
> > > > </servlet>
> > > > //where Owasp.CsrfGuard.js would contain something like:
> > > > /** determine if uri/url points to valid domain * */
> > > > function isValidUrl(src) {
> > > > var result = false;
> > > >
> > > > /** parse out domain to make sure it points to our own * */
> > > > if(src.substring(0, 7) == "http://" || src.substring(0, 8)
> ==
> > > > "https://") {
> > > > var token = "://";
> > > > var index = src.indexOf(token);
> > > > var part = src.substring(index + token.length);
> > > > var domain = "";
> > > >
> > > > /** parse up to end, first slash, or anchor * */
> > > > for(var i=0; i<part.length; i++) {
> > > > var character = part.charAt(i);
> > > >
> > > > if(character == '/' || character == ':' || character
> ==
> > > > '#') {
> > > > break;
> > > > } else {
> > > > domain += character;
> > > > }
> > > > }
> > > >
> > > > result = isValidDomain(document.domain, domain);
> > > > /** explicitly skip anchors * */
> > > > } else if(src.charAt(0) == '#') {
> > > > result = false;
> > > > /** ensure it is a local resource without a protocol * */
> > > > } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> > > > src.indexOf(':') == -1)) {
> > > > result = true;
> > > > }
> > > >
> > > > return result;
> > > > }
> > > >
> > > >
> > > > Mit freundlichen Grüßen
> > > >
> > > > Martin
> > > >
> > > > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > > > Subject: StringEscapeUtils.escapeXml & XX
> > > > > From: akash.delhite@gmail.com
> > > > > To: user@commons.apache.org
> > > > >
> > > > > Hi,
> > > > >
> > > > > I want to know much secure is escapeXml
> > > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for
> preventing
> > > all
> > > > > XSS vectors ?
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > http://people.apache.org/~britter/
> > http://www.systemoutprintln.de/
> > http://twitter.com/BenediktRitter
> > http://github.com/britter
> >
>
--
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter
Re: StringEscapeUtils.escapeXml & XX
Posted by Akash Jain <ak...@gmail.com>.
Hello Benedikt,
Basically I am using it as XSS prevention mechanism. So I want to use is it
safe enough ?
I am not very inclined to use ESAPI as XSS protection mechanism, hence I am
using escapeXml
On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <br...@apache.org> wrote:
> Hello Akash,
>
> escapeXml will just escape the basic XML entities. For example:
>
> "bread" & "butter" => "bread" & "butter".
>
> escapeXml10 and escapeXml11 are extended methods that will escape some more
> characters that are illegal in XML.
>
> I don't understand what you mean by "how safe" can you give an example of a
> malformed input and the result your expecting? Then I can tell you whether
> it will be escaped ;-)
>
> Regards,
> Benedikt
>
>
> 2014-05-05 19:34 GMT+02:00 Akash Jain <ak...@gmail.com>:
>
> > Martin,
> >
> > Can you tell me how safe is escapeXml function is ? Thats what I
> originally
> > wanted to know.
> >
> > Thanks.
> >
> >
> > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mg...@hotmail.com>
> wrote:
> >
> > > if you didnt catch XSS Vector at Javascript as it was coming in from
> > > Browser then you can write your own from:
> > >
> > >
> > >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > > private static void escapeJavaStyleString(Writer out, String str,
> boolean
> > > escapeSingleQuote,
> > > boolean escapeForwardSlash) throws IOException {{
> > > //put XSS Vector attack mitigation here
> > > }
> > >
> > > //Also in a webapp insert the configuration for owasp csrf guard
> > > <context-param>
> > > <param-name>Owasp.CsrfGuard.Config</param-name>
> > > <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > > </context-param>
> > > //and of course the filter
> > > <filter>
> > > <filter-name>CSRFGuard</filter-name>
> > >
> <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > > </filter>
> > > //and which extensions it will map to
> > > <!-- CSRF Filter Mapping -->
> > > <filter-mapping>
> > > <filter-name>CSRFGuard</filter-name>
> > > <url-pattern>*.jsf</url-pattern>
> > > </filter-mapping>
> > > <filter-mapping>
> > > <filter-name>CSRFGuard</filter-name>
> > > <url-pattern>*.jsp</url-pattern>
> > > </filter-mapping>
> > >
> > > //session listener
> > > <listener>
> > > <listener-class>
> > > org.owasp.csrfguard.CsrfGuardListener
> > > </listener-class>
> > > </listener>
> > >
> > > <!-- CSRF JavaScript Servlet -->
> > > <servlet>
> > > <servlet-name>JavaScriptServlet</servlet-name>
> > >
> > >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > > <init-param>
> > > <param-name>source-file</param-name>
> > >
> > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > > </init-param>
> > > </servlet>
> > > //where Owasp.CsrfGuard.js would contain something like:
> > > /** determine if uri/url points to valid domain * */
> > > function isValidUrl(src) {
> > > var result = false;
> > >
> > > /** parse out domain to make sure it points to our own * */
> > > if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
> > > "https://") {
> > > var token = "://";
> > > var index = src.indexOf(token);
> > > var part = src.substring(index + token.length);
> > > var domain = "";
> > >
> > > /** parse up to end, first slash, or anchor * */
> > > for(var i=0; i<part.length; i++) {
> > > var character = part.charAt(i);
> > >
> > > if(character == '/' || character == ':' || character ==
> > > '#') {
> > > break;
> > > } else {
> > > domain += character;
> > > }
> > > }
> > >
> > > result = isValidDomain(document.domain, domain);
> > > /** explicitly skip anchors * */
> > > } else if(src.charAt(0) == '#') {
> > > result = false;
> > > /** ensure it is a local resource without a protocol * */
> > > } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> > > src.indexOf(':') == -1)) {
> > > result = true;
> > > }
> > >
> > > return result;
> > > }
> > >
> > >
> > > Mit freundlichen Grüßen
> > >
> > > Martin
> > >
> > > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > > Subject: StringEscapeUtils.escapeXml & XX
> > > > From: akash.delhite@gmail.com
> > > > To: user@commons.apache.org
> > > >
> > > > Hi,
> > > >
> > > > I want to know much secure is escapeXml
> > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing
> > all
> > > > XSS vectors ?
> > >
> > >
> >
>
>
>
> --
> http://people.apache.org/~britter/
> http://www.systemoutprintln.de/
> http://twitter.com/BenediktRitter
> http://github.com/britter
>
Re: StringEscapeUtils.escapeXml & XX
Posted by Benedikt Ritter <br...@apache.org>.
Hello Akash,
escapeXml will just escape the basic XML entities. For example:
"bread" & "butter" => "bread" & "butter".
escapeXml10 and escapeXml11 are extended methods that will escape some more
characters that are illegal in XML.
I don't understand what you mean by "how safe" can you give an example of a
malformed input and the result your expecting? Then I can tell you whether
it will be escaped ;-)
Regards,
Benedikt
2014-05-05 19:34 GMT+02:00 Akash Jain <ak...@gmail.com>:
> Martin,
>
> Can you tell me how safe is escapeXml function is ? Thats what I originally
> wanted to know.
>
> Thanks.
>
>
> On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mg...@hotmail.com> wrote:
>
> > if you didnt catch XSS Vector at Javascript as it was coming in from
> > Browser then you can write your own from:
> >
> >
> >
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> > private static void escapeJavaStyleString(Writer out, String str, boolean
> > escapeSingleQuote,
> > boolean escapeForwardSlash) throws IOException {{
> > //put XSS Vector attack mitigation here
> > }
> >
> > //Also in a webapp insert the configuration for owasp csrf guard
> > <context-param>
> > <param-name>Owasp.CsrfGuard.Config</param-name>
> > <param-value>config/Owasp.CsrfGuard.properties</param-value>
> > </context-param>
> > //and of course the filter
> > <filter>
> > <filter-name>CSRFGuard</filter-name>
> > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> > </filter>
> > //and which extensions it will map to
> > <!-- CSRF Filter Mapping -->
> > <filter-mapping>
> > <filter-name>CSRFGuard</filter-name>
> > <url-pattern>*.jsf</url-pattern>
> > </filter-mapping>
> > <filter-mapping>
> > <filter-name>CSRFGuard</filter-name>
> > <url-pattern>*.jsp</url-pattern>
> > </filter-mapping>
> >
> > //session listener
> > <listener>
> > <listener-class>
> > org.owasp.csrfguard.CsrfGuardListener
> > </listener-class>
> > </listener>
> >
> > <!-- CSRF JavaScript Servlet -->
> > <servlet>
> > <servlet-name>JavaScriptServlet</servlet-name>
> >
> >
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> > <init-param>
> > <param-name>source-file</param-name>
> >
> <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> > </init-param>
> > </servlet>
> > //where Owasp.CsrfGuard.js would contain something like:
> > /** determine if uri/url points to valid domain * */
> > function isValidUrl(src) {
> > var result = false;
> >
> > /** parse out domain to make sure it points to our own * */
> > if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
> > "https://") {
> > var token = "://";
> > var index = src.indexOf(token);
> > var part = src.substring(index + token.length);
> > var domain = "";
> >
> > /** parse up to end, first slash, or anchor * */
> > for(var i=0; i<part.length; i++) {
> > var character = part.charAt(i);
> >
> > if(character == '/' || character == ':' || character ==
> > '#') {
> > break;
> > } else {
> > domain += character;
> > }
> > }
> >
> > result = isValidDomain(document.domain, domain);
> > /** explicitly skip anchors * */
> > } else if(src.charAt(0) == '#') {
> > result = false;
> > /** ensure it is a local resource without a protocol * */
> > } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> > src.indexOf(':') == -1)) {
> > result = true;
> > }
> >
> > return result;
> > }
> >
> >
> > Mit freundlichen Grüßen
> >
> > Martin
> >
> > > Date: Mon, 5 May 2014 00:55:22 -0700
> > > Subject: StringEscapeUtils.escapeXml & XX
> > > From: akash.delhite@gmail.com
> > > To: user@commons.apache.org
> > >
> > > Hi,
> > >
> > > I want to know much secure is escapeXml
> > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing
> all
> > > XSS vectors ?
> >
> >
>
--
http://people.apache.org/~britter/
http://www.systemoutprintln.de/
http://twitter.com/BenediktRitter
http://github.com/britter
Re: StringEscapeUtils.escapeXml & XX
Posted by Akash Jain <ak...@gmail.com>.
Martin,
Can you tell me how safe is escapeXml function is ? Thats what I originally
wanted to know.
Thanks.
On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mg...@hotmail.com> wrote:
> if you didnt catch XSS Vector at Javascript as it was coming in from
> Browser then you can write your own from:
>
>
> http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
> private static void escapeJavaStyleString(Writer out, String str, boolean
> escapeSingleQuote,
> boolean escapeForwardSlash) throws IOException {{
> //put XSS Vector attack mitigation here
> }
>
> //Also in a webapp insert the configuration for owasp csrf guard
> <context-param>
> <param-name>Owasp.CsrfGuard.Config</param-name>
> <param-value>config/Owasp.CsrfGuard.properties</param-value>
> </context-param>
> //and of course the filter
> <filter>
> <filter-name>CSRFGuard</filter-name>
> <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
> </filter>
> //and which extensions it will map to
> <!-- CSRF Filter Mapping -->
> <filter-mapping>
> <filter-name>CSRFGuard</filter-name>
> <url-pattern>*.jsf</url-pattern>
> </filter-mapping>
> <filter-mapping>
> <filter-name>CSRFGuard</filter-name>
> <url-pattern>*.jsp</url-pattern>
> </filter-mapping>
>
> //session listener
> <listener>
> <listener-class>
> org.owasp.csrfguard.CsrfGuardListener
> </listener-class>
> </listener>
>
> <!-- CSRF JavaScript Servlet -->
> <servlet>
> <servlet-name>JavaScriptServlet</servlet-name>
>
> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
> <init-param>
> <param-name>source-file</param-name>
> <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
> </init-param>
> </servlet>
> //where Owasp.CsrfGuard.js would contain something like:
> /** determine if uri/url points to valid domain * */
> function isValidUrl(src) {
> var result = false;
>
> /** parse out domain to make sure it points to our own * */
> if(src.substring(0, 7) == "http://" || src.substring(0, 8) ==
> "https://") {
> var token = "://";
> var index = src.indexOf(token);
> var part = src.substring(index + token.length);
> var domain = "";
>
> /** parse up to end, first slash, or anchor * */
> for(var i=0; i<part.length; i++) {
> var character = part.charAt(i);
>
> if(character == '/' || character == ':' || character ==
> '#') {
> break;
> } else {
> domain += character;
> }
> }
>
> result = isValidDomain(document.domain, domain);
> /** explicitly skip anchors * */
> } else if(src.charAt(0) == '#') {
> result = false;
> /** ensure it is a local resource without a protocol * */
> } else if(!src.startsWith("//") && (src.charAt(0) == '/' ||
> src.indexOf(':') == -1)) {
> result = true;
> }
>
> return result;
> }
>
>
> Mit freundlichen Grüßen
>
> Martin
>
> > Date: Mon, 5 May 2014 00:55:22 -0700
> > Subject: StringEscapeUtils.escapeXml & XX
> > From: akash.delhite@gmail.com
> > To: user@commons.apache.org
> >
> > Hi,
> >
> > I want to know much secure is escapeXml
> > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing all
> > XSS vectors ?
>
>
RE: StringEscapeUtils.escapeXml & XX
Posted by Martin Gainty <mg...@hotmail.com>.
if you didnt catch XSS Vector at Javascript as it was coming in from Browser then you can write your own from:
http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html
private static void escapeJavaStyleString(Writer out, String str, boolean escapeSingleQuote,
boolean escapeForwardSlash) throws IOException {{
//put XSS Vector attack mitigation here
}
//Also in a webapp insert the configuration for owasp csrf guard
<context-param>
<param-name>Owasp.CsrfGuard.Config</param-name>
<param-value>config/Owasp.CsrfGuard.properties</param-value>
</context-param>
//and of course the filter
<filter>
<filter-name>CSRFGuard</filter-name>
<filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter>
//and which extensions it will map to
<!-- CSRF Filter Mapping -->
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>*.jsf</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CSRFGuard</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
//session listener
<listener>
<listener-class>
org.owasp.csrfguard.CsrfGuardListener
</listener-class>
</listener>
<!-- CSRF JavaScript Servlet -->
<servlet>
<servlet-name>JavaScriptServlet</servlet-name>
<servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
<init-param>
<param-name>source-file</param-name>
<param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value>
</init-param>
</servlet>
//where Owasp.CsrfGuard.js would contain something like:
/** determine if uri/url points to valid domain * */
function isValidUrl(src) {
var result = false;
/** parse out domain to make sure it points to our own * */
if(src.substring(0, 7) == "http://" || src.substring(0, 8) == "https://") {
var token = "://";
var index = src.indexOf(token);
var part = src.substring(index + token.length);
var domain = "";
/** parse up to end, first slash, or anchor * */
for(var i=0; i<part.length; i++) {
var character = part.charAt(i);
if(character == '/' || character == ':' || character == '#') {
break;
} else {
domain += character;
}
}
result = isValidDomain(document.domain, domain);
/** explicitly skip anchors * */
} else if(src.charAt(0) == '#') {
result = false;
/** ensure it is a local resource without a protocol * */
} else if(!src.startsWith("//") && (src.charAt(0) == '/' || src.indexOf(':') == -1)) {
result = true;
}
return result;
}
Mit freundlichen Grüßen
Martin
> Date: Mon, 5 May 2014 00:55:22 -0700
> Subject: StringEscapeUtils.escapeXml & XX
> From: akash.delhite@gmail.com
> To: user@commons.apache.org
>
> Hi,
>
> I want to know much secure is escapeXml
> (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing all
> XSS vectors ?