Martin, Can you tell me how safe is escapeXml function is ? Thats what I originally wanted to know.
Thanks. On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <[email protected]> wrote: > if you didnt catch XSS Vector at Javascript as it was coming in from > Browser then you can write your own from: > > > http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html > private static void escapeJavaStyleString(Writer out, String str, boolean > escapeSingleQuote, > boolean escapeForwardSlash) throws IOException {{ > //put XSS Vector attack mitigation here > } > > //Also in a webapp insert the configuration for owasp csrf guard > <context-param> > <param-name>Owasp.CsrfGuard.Config</param-name> > <param-value>config/Owasp.CsrfGuard.properties</param-value> > </context-param> > //and of course the filter > <filter> > <filter-name>CSRFGuard</filter-name> > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class> > </filter> > //and which extensions it will map to > <!-- CSRF Filter Mapping --> > <filter-mapping> > <filter-name>CSRFGuard</filter-name> > <url-pattern>*.jsf</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>CSRFGuard</filter-name> > <url-pattern>*.jsp</url-pattern> > </filter-mapping> > > //session listener > <listener> > <listener-class> > org.owasp.csrfguard.CsrfGuardListener > </listener-class> > </listener> > > <!-- CSRF JavaScript Servlet --> > <servlet> > <servlet-name>JavaScriptServlet</servlet-name> > > <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class> > <init-param> > <param-name>source-file</param-name> > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value> > </init-param> > </servlet> > //where Owasp.CsrfGuard.js would contain something like: > /** determine if uri/url points to valid domain * */ > function isValidUrl(src) { > var result = false; > > /** parse out domain to make sure it points to our own * */ > if(src.substring(0, 7) == "http://"; || src.substring(0, 8) == > "https://";) { > var token = "://"; > var index = src.indexOf(token); > var part = src.substring(index + token.length); > var domain = ""; > > /** parse up to end, first slash, or anchor * */ > for(var i=0; i<part.length; i++) { > var character = part.charAt(i); > > if(character == '/' || character == ':' || character == > '#') { > break; > } else { > domain += character; > } > } > > result = isValidDomain(document.domain, domain); > /** explicitly skip anchors * */ > } else if(src.charAt(0) == '#') { > result = false; > /** ensure it is a local resource without a protocol * */ > } else if(!src.startsWith("//") && (src.charAt(0) == '/' || > src.indexOf(':') == -1)) { > result = true; > } > > return result; > } > > > Mit freundlichen Grüßen > > Martin > > > Date: Mon, 5 May 2014 00:55:22 -0700 > > Subject: StringEscapeUtils.escapeXml & XX > > From: [email protected] > > To: [email protected] > > > > Hi, > > > > I want to know much secure is escapeXml > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for preventing all > > XSS vectors ? > >
