Link Search Menu Expand Document

Cross-Site Scripting in Java

Prevention

Remediation relies on performing Output Encoding (e.g. using an escape syntax) for the type of HTML context where untrusted data is reflected into. The OWASP Java Encoder interface contains a number of methods for encoding output so that it will be safe for a variety of downstream contexts.

Context Code Java Encoder API
HTML Body <div>USER-CONTROLLED-DATA</div> Encode.forHtml
HTML Attribute <input type="text" value="USER-CONTROLLED-DATA"> Encode.forHtmlAttribute
URL Parameter <a href="/search?value=USER-CONTROLLED-DATA">Search</a> Encode.forUriComponent
CSS String <div style="width: USER-CONTROLLED-DATA;">Selection</div> Encode.forCssString
CSS URL <div style="background: USER-CONTROLLED-DATA "> Encode.forCssUrl
JavaScript Block <script>alert("USER-CONTROLLED-DATA")</script> Encode.forJavaScriptBlock
JavaScript Variable <button onclick="alert('USER-CONTROLLED-DATA');">click me</button> Encode.forJavaScriptVariable

References

OWASP - Cross-Site Scripting (XSS) OWASP - Code Review Guide OWASP - Cross-Site Scripting Prevention Cheat Sheet OWASP - Java Encoder SEI CERT Oracle Coding Standard for Java