Hello Akash, may be this can help:
http://stackoverflow.com/questions/10487648/prevent-xss-in-spring-mvc http://stackoverflow.com/questions/12538227/how-to-prevent-xss-attacks-with-springmvc-jackson-application http://jeevanpatil.wordpress.com/2011/07/22/prevention_of_xss/ There is a lot n google about this ;-) Or you as at OWASP how to integrate the other systems with ESAPI that caused the problems. Regards, Benedikt 2014-05-07 2:23 GMT+02:00 Akash Jain <akash.delh...@gmail.com>: > ESAPI has given us some problems with other systems we interact with. > > I am using Java 7 with Spring 3.2 MVC in Tomcat 7. > > > On Tue, May 6, 2014 at 4:29 AM, Benedikt Ritter <brit...@apache.org> > wrote: > > > Hello Akash, > > > > > > 2014-05-05 22:16 GMT+02:00 Akash Jain <akash.delh...@gmail.com>: > > > > > Hello Benedikt, > > > > > > Basically I am using it as XSS prevention mechanism. So I want to use > is > > it > > > safe enough ? > > > > > > > As I've said: escapeXml just escapes the basic XML entities. It depends > on > > what you're doing with the escaped content. Since I don't know the > > environment you're working in, I can not tell which kinds of XSS are > > possible. But I don't think that just using escapeXml is sufficient. My > > feeling is that using a full blown XSS prevention library like ESAPI is a > > better solution. > > > > Benedikt > > > > > > > > > > I am not very inclined to use ESAPI as XSS protection mechanism, hence > I > > am > > > using escapeXml > > > > > > > > > On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <brit...@apache.org> > > > wrote: > > > > > > > Hello Akash, > > > > > > > > escapeXml will just escape the basic XML entities. For example: > > > > > > > > "bread" & "butter" => "bread" & "butter". > > > > > > > > escapeXml10 and escapeXml11 are extended methods that will escape > some > > > more > > > > characters that are illegal in XML. > > > > > > > > I don't understand what you mean by "how safe" can you give an > example > > > of a > > > > malformed input and the result your expecting? Then I can tell you > > > whether > > > > it will be escaped ;-) > > > > > > > > Regards, > > > > Benedikt > > > > > > > > > > > > 2014-05-05 19:34 GMT+02:00 Akash Jain <akash.delh...@gmail.com>: > > > > > > > > > Martin, > > > > > > > > > > Can you tell me how safe is escapeXml function is ? Thats what I > > > > originally > > > > > wanted to know. > > > > > > > > > > Thanks. > > > > > > > > > > > > > > > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <mgai...@hotmail.com > > > > > > wrote: > > > > > > > > > > > if you didnt catch XSS Vector at Javascript as it was coming in > > from > > > > > > Browser then you can write your own from: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html > > > > > > private static void escapeJavaStyleString(Writer out, String str, > > > > boolean > > > > > > escapeSingleQuote, > > > > > > boolean escapeForwardSlash) throws IOException {{ > > > > > > //put XSS Vector attack mitigation here > > > > > > } > > > > > > > > > > > > //Also in a webapp insert the configuration for owasp csrf guard > > > > > > <context-param> > > > > > > <param-name>Owasp.CsrfGuard.Config</param-name> > > > > > > > > <param-value>config/Owasp.CsrfGuard.properties</param-value> > > > > > > </context-param> > > > > > > //and of course the filter > > > > > > <filter> > > > > > > <filter-name>CSRFGuard</filter-name> > > > > > > > > > > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class> > > > > > > </filter> > > > > > > //and which extensions it will map to > > > > > > <!-- CSRF Filter Mapping --> > > > > > > <filter-mapping> > > > > > > <filter-name>CSRFGuard</filter-name> > > > > > > <url-pattern>*.jsf</url-pattern> > > > > > > </filter-mapping> > > > > > > <filter-mapping> > > > > > > <filter-name>CSRFGuard</filter-name> > > > > > > <url-pattern>*.jsp</url-pattern> > > > > > > </filter-mapping> > > > > > > > > > > > > //session listener > > > > > > <listener> > > > > > > <listener-class> > > > > > > org.owasp.csrfguard.CsrfGuardListener > > > > > > </listener-class> > > > > > > </listener> > > > > > > > > > > > > <!-- CSRF JavaScript Servlet --> > > > > > > <servlet> > > > > > > <servlet-name>JavaScriptServlet</servlet-name> > > > > > > > > > > > > > > > > > > > > > > > > > > > <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class> > > > > > > <init-param> > > > > > > <param-name>source-file</param-name> > > > > > > > > > > > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value> > > > > > > </init-param> > > > > > > </servlet> > > > > > > //where Owasp.CsrfGuard.js would contain something like: > > > > > > /** determine if uri/url points to valid domain * */ > > > > > > function isValidUrl(src) { > > > > > > var result = false; > > > > > > > > > > > > /** parse out domain to make sure it points to our own * > */ > > > > > > if(src.substring(0, 7) == "http://"; || src.substring(0, > 8) > > > == > > > > > > "https://";) { > > > > > > var token = "://"; > > > > > > var index = src.indexOf(token); > > > > > > var part = src.substring(index + token.length); > > > > > > var domain = ""; > > > > > > > > > > > > /** parse up to end, first slash, or anchor * */ > > > > > > for(var i=0; i<part.length; i++) { > > > > > > var character = part.charAt(i); > > > > > > > > > > > > if(character == '/' || character == ':' || > > character > > > == > > > > > > '#') { > > > > > > break; > > > > > > } else { > > > > > > domain += character; > > > > > > } > > > > > > } > > > > > > > > > > > > result = isValidDomain(document.domain, domain); > > > > > > /** explicitly skip anchors * */ > > > > > > } else if(src.charAt(0) == '#') { > > > > > > result = false; > > > > > > /** ensure it is a local resource without a protocol > * > > */ > > > > > > } else if(!src.startsWith("//") && (src.charAt(0) == '/' > || > > > > > > src.indexOf(':') == -1)) { > > > > > > result = true; > > > > > > } > > > > > > > > > > > > return result; > > > > > > } > > > > > > > > > > > > > > > > > > Mit freundlichen Grüßen > > > > > > > > > > > > Martin > > > > > > > > > > > > > Date: Mon, 5 May 2014 00:55:22 -0700 > > > > > > > Subject: StringEscapeUtils.escapeXml & XX > > > > > > > From: akash.delh...@gmail.com > > > > > > > To: user@commons.apache.org > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > I want to know much secure is escapeXml > > > > > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for > > > preventing > > > > > all > > > > > > > XSS vectors ? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > http://people.apache.org/~britter/ > > > > http://www.systemoutprintln.de/ > > > > http://twitter.com/BenediktRitter > > > > http://github.com/britter > > > > > > > > > > > > > > > -- > > http://people.apache.org/~britter/ > > http://www.systemoutprintln.de/ > > http://twitter.com/BenediktRitter > > http://github.com/britter > > > -- http://people.apache.org/~britter/ http://www.systemoutprintln.de/ http://twitter.com/BenediktRitter http://github.com/britter
