Link Search Menu Expand Document

Cross-Site Scripting in Java

Play SecureFlag Play Java Labs on this vulnerability with SecureFlag!

Prevention

Remediation relies on performing Output Encoding (e.g. using an escape syntax) for the type of HTML context where untrusted data is reflected into. The OWASP Java Encoder interface contains a number of methods for encoding output so that it will be safe for a variety of downstream contexts.

Context Vulnerable Code Mitigation
HTML Body <div>USER-CONTROLLED-DATA</div> Encode.forHtml
HTML Attribute <input type="text" value="USER-CONTROLLED-DATA"> Encode.forHtmlAttribute
URL Parameter <a href="/search?value=USER-CONTROLLED-DATA">Search</a> Encode.forUriComponent
CSS String <div style="width: USER-CONTROLLED-DATA;">Selection</div> Encode.forCssString
CSS URL <div style="background: USER-CONTROLLED-DATA "> Encode.forCssUrl
JavaScript Block <script>alert("USER-CONTROLLED-DATA")</script> Encode.forJavaScriptBlock
JavaScript Variable <button onclick="alert('USER-CONTROLLED-DATA');">click me</button> Encode.forJavaScriptVariable

References

OWASP - Cross-Site Scripting (XSS) OWASP - Code Review Guide OWASP - Cross-Site Scripting Prevention Cheat Sheet OWASP - Java Encoder SEI CERT Oracle Coding Standard for Java