Cross-Site Scripting in Java
Prevention
Remediation relies on performing Output Encoding (e.g. using an escape syntax) for the type of HTML context where untrusted data is reflected into. The OWASP Java Encoder interface contains a number of methods for encoding output so that it will be safe for a variety of downstream contexts.
Context | Vulnerable Code | Mitigation |
---|---|---|
HTML Body | <div>USER-CONTROLLED-DATA</div> | Encode.forHtml |
HTML Attribute | <input type="text" value="USER-CONTROLLED-DATA"> | Encode.forHtmlAttribute |
URL Parameter | <a href="/search?value=USER-CONTROLLED-DATA">Search</a> | Encode.forUriComponent |
CSS String | <div style="width: USER-CONTROLLED-DATA;">Selection</div> | Encode.forCssString |
CSS URL | <div style="background: USER-CONTROLLED-DATA "> | Encode.forCssUrl |
JavaScript Block | <script>alert("USER-CONTROLLED-DATA")</script> | Encode.forJavaScriptBlock |
JavaScript Variable | <button onclick="alert('USER-CONTROLLED-DATA');">click me</button> | Encode.forJavaScriptVariable |
References
OWASP - Cross-Site Scripting (XSS) OWASP - Code Review Guide OWASP - Cross-Site Scripting Prevention Cheat Sheet OWASP - Java Encoder SEI CERT Oracle Coding Standard for Java