ESAPI has given us some problems with other systems we interact with. I am using Java 7 with Spring 3.2 MVC in Tomcat 7.
On Tue, May 6, 2014 at 4:29 AM, Benedikt Ritter <[email protected]> wrote: > Hello Akash, > > > 2014-05-05 22:16 GMT+02:00 Akash Jain <[email protected]>: > > > Hello Benedikt, > > > > Basically I am using it as XSS prevention mechanism. So I want to use is > it > > safe enough ? > > > > As I've said: escapeXml just escapes the basic XML entities. It depends on > what you're doing with the escaped content. Since I don't know the > environment you're working in, I can not tell which kinds of XSS are > possible. But I don't think that just using escapeXml is sufficient. My > feeling is that using a full blown XSS prevention library like ESAPI is a > better solution. > > Benedikt > > > > > > I am not very inclined to use ESAPI as XSS protection mechanism, hence I > am > > using escapeXml > > > > > > On Mon, May 5, 2014 at 10:54 AM, Benedikt Ritter <[email protected]> > > wrote: > > > > > Hello Akash, > > > > > > escapeXml will just escape the basic XML entities. For example: > > > > > > "bread" & "butter" => "bread" & "butter". > > > > > > escapeXml10 and escapeXml11 are extended methods that will escape some > > more > > > characters that are illegal in XML. > > > > > > I don't understand what you mean by "how safe" can you give an example > > of a > > > malformed input and the result your expecting? Then I can tell you > > whether > > > it will be escaped ;-) > > > > > > Regards, > > > Benedikt > > > > > > > > > 2014-05-05 19:34 GMT+02:00 Akash Jain <[email protected]>: > > > > > > > Martin, > > > > > > > > Can you tell me how safe is escapeXml function is ? Thats what I > > > originally > > > > wanted to know. > > > > > > > > Thanks. > > > > > > > > > > > > On Mon, May 5, 2014 at 5:17 AM, Martin Gainty <[email protected]> > > > wrote: > > > > > > > > > if you didnt catch XSS Vector at Javascript as it was coming in > from > > > > > Browser then you can write your own from: > > > > > > > > > > > > > > > > > > > > > > > > > http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/src-html/org/apache/commons/lang/StringEscapeUtils.html > > > > > private static void escapeJavaStyleString(Writer out, String str, > > > boolean > > > > > escapeSingleQuote, > > > > > boolean escapeForwardSlash) throws IOException {{ > > > > > //put XSS Vector attack mitigation here > > > > > } > > > > > > > > > > //Also in a webapp insert the configuration for owasp csrf guard > > > > > <context-param> > > > > > <param-name>Owasp.CsrfGuard.Config</param-name> > > > > > > <param-value>config/Owasp.CsrfGuard.properties</param-value> > > > > > </context-param> > > > > > //and of course the filter > > > > > <filter> > > > > > <filter-name>CSRFGuard</filter-name> > > > > > > > > <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class> > > > > > </filter> > > > > > //and which extensions it will map to > > > > > <!-- CSRF Filter Mapping --> > > > > > <filter-mapping> > > > > > <filter-name>CSRFGuard</filter-name> > > > > > <url-pattern>*.jsf</url-pattern> > > > > > </filter-mapping> > > > > > <filter-mapping> > > > > > <filter-name>CSRFGuard</filter-name> > > > > > <url-pattern>*.jsp</url-pattern> > > > > > </filter-mapping> > > > > > > > > > > //session listener > > > > > <listener> > > > > > <listener-class> > > > > > org.owasp.csrfguard.CsrfGuardListener > > > > > </listener-class> > > > > > </listener> > > > > > > > > > > <!-- CSRF JavaScript Servlet --> > > > > > <servlet> > > > > > <servlet-name>JavaScriptServlet</servlet-name> > > > > > > > > > > > > > > > > > > > > <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class> > > > > > <init-param> > > > > > <param-name>source-file</param-name> > > > > > > > > > <param-value>WEB-INF/customjs/Owasp.CsrfGuard.js</param-value> > > > > > </init-param> > > > > > </servlet> > > > > > //where Owasp.CsrfGuard.js would contain something like: > > > > > /** determine if uri/url points to valid domain * */ > > > > > function isValidUrl(src) { > > > > > var result = false; > > > > > > > > > > /** parse out domain to make sure it points to our own * */ > > > > > if(src.substring(0, 7) == "http://"; || src.substring(0, 8) > > == > > > > > "https://";) { > > > > > var token = "://"; > > > > > var index = src.indexOf(token); > > > > > var part = src.substring(index + token.length); > > > > > var domain = ""; > > > > > > > > > > /** parse up to end, first slash, or anchor * */ > > > > > for(var i=0; i<part.length; i++) { > > > > > var character = part.charAt(i); > > > > > > > > > > if(character == '/' || character == ':' || > character > > == > > > > > '#') { > > > > > break; > > > > > } else { > > > > > domain += character; > > > > > } > > > > > } > > > > > > > > > > result = isValidDomain(document.domain, domain); > > > > > /** explicitly skip anchors * */ > > > > > } else if(src.charAt(0) == '#') { > > > > > result = false; > > > > > /** ensure it is a local resource without a protocol * > */ > > > > > } else if(!src.startsWith("//") && (src.charAt(0) == '/' || > > > > > src.indexOf(':') == -1)) { > > > > > result = true; > > > > > } > > > > > > > > > > return result; > > > > > } > > > > > > > > > > > > > > > Mit freundlichen Grüßen > > > > > > > > > > Martin > > > > > > > > > > > Date: Mon, 5 May 2014 00:55:22 -0700 > > > > > > Subject: StringEscapeUtils.escapeXml & XX > > > > > > From: [email protected] > > > > > > To: [email protected] > > > > > > > > > > > > Hi, > > > > > > > > > > > > I want to know much secure is escapeXml > > > > > > (org.apache.commons.lang.StringEscapeUtils.escapeXml) for > > preventing > > > > all > > > > > > XSS vectors ? > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > http://people.apache.org/~britter/ > > > http://www.systemoutprintln.de/ > > > http://twitter.com/BenediktRitter > > > http://github.com/britter > > > > > > > > > -- > http://people.apache.org/~britter/ > http://www.systemoutprintln.de/ > http://twitter.com/BenediktRitter > http://github.com/britter >
