if you didnt catch XSS Vector at Javascript as it was coming in from Browser then you can write your own from:
http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html private static void escapeJavaStyleString(Writer out, String str, boolean escapeSingleQuote, boolean escapeForwardSlash) throws IOException {{ //put XSS Vector attack mitigation here } //Also in a webapp insert the configuration for owasp csrf guard <context-param> <param-name>Owasp.CsrfGuard.Config</param-name> <param-value>config/Owasp.CsrfGuard.properties</param-value> </context-param> //and of course the filter <filter> <filter-name>CSRFGuard</filter-name> <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class> </filter> //and which extensions it will map to <!-- CSRF Filter Mapping --> <filter-mapping> <filter-name>CSRFGuard</filter-name> <url-pattern>*.jsf</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CSRFGuard</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> //session listener <listener> <listener-class> org.owasp.csrfguard.CsrfGuardListener </listener-class> </listener> <!-- CSRF JavaScript Servlet --> <servlet> <servlet-name>JavaScriptServlet</servlet-name> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class> <init-param> <param-name>source-file</param-name> <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value> </init-param> </servlet> //where Owasp.CsrfGuard.js would contain something like: /** determine if uri/url points to valid domain * */ function isValidUrl(src) { var result = false; /** parse out domain to make sure it points to our own * */ if(src.substring(0, 7) == "http://"; || src.substring(0, 8) == "https://";) { var token = "://"; var index = src.indexOf(token); var part = src.substring(index + token.length); var domain = ""; /** parse up to end, first slash, or anchor * */ for(var i=0; i<part.length; i++) { var character = part.charAt(i); if(character == '/' || character == ':' || character == '#') { break; } else { domain += character; } } result = isValidDomain(document.domain, domain); /** explicitly skip anchors * */ } else if(src.charAt(0) == '#') { result = false; /** ensure it is a local resource without a protocol * */ } else if(!src.startsWith("//") && (src.charAt(0) == '/' || src.indexOf(':') == -1)) { result = true; } return result; } Mit freundlichen Grüßen Martin > Date: Mon, 5 May 2014 00:55:22 -0700 > Subject: StringEscapeUtils.escapeXml & XX > From: [email protected] > To: [email protected] > > Hi, > > I want to know much secure is escapeXml > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing all > XSS vectors ?
