Are you allowing the user to redisplay any entered HTML ala myspace?
I'm working on a solution for this right now. For this situation, I'm
filtering it in action before it is saved to DB.
Here are some REs and a simple function:
private final static String XSS_BIG_OBJECTS_FILTER =
"(((<\\s*[Aa][Pp][Pp][Ll][Ee][Tt].*>.*<\\s*/.*[Aa][Pp][Pp][Ll][Ee][Tt]\\s*>)|(<\\s*[Aa][Pp][Pp][Ll][Ee][Tt].*/\\s*>))|"+
"((<\\s*[Oo][Bb][Jj][Ee][Cc][Tt].*>.*<\\s*/.*[Oo][Bb][Jj][Ee][Cc][Tt]\\s*>)|(<\\s*[Oo][Bb][Jj][Ee][Cc][Tt].*/\\s*>))|"+
"((<\\s*[Ss][Cc][Rr][Ii][Pp][Tt].*>.*<\\s*/.*[Ss][Cc][Rr][Ii][Pp][Tt]\\s*>)|(<\\s*[Ss][Cc][Rr][Ii][Pp][Tt].*/\\s*>))|"+
"((<\\s*[Ee][Mm][Bb][Ee][Dd].*>.*<\\s*/.*[Ee][Mm][Bb][Ee][Dd]\\s*>)|(<\\s*[Ee][Mm][Bb][Ee][Dd].*/\\s*>))|"+
"(=\\s*[\"\']*\\s*[Jj][Aa][Vv][Aa][Ss][Cc][Rr][Ii][Pp][Tt]\\s*:.*[\"\']))";
private final static String XSS_BIG_TAGS_FILTER =
"(((<\\s*[Ss][Ee][Rr][Vv][Ee][Rr].*>.*<\\s*/.*[Ss][Ee][Rr][Vv][Ee][Rr]\\s*>)|(<\\s*[Ss][Ee][Rr][Vv][Ee][Rr].*/\\s*>))|"+
"((<\\s*[Ff][Rr][Aa][Mm][Ee].*>.*<\\s*/.*[Ff][Rr][Aa][Mm][Ee]\\s*>)|(<\\s*[Ff][Rr][Aa][Mm][Ee].*/\\s*>))|"+
"((<\\s*[Ii][Ff][Rr][Aa][Mm][Ee].*>.*<\\s*/.*[Ii][Ff][Rr][Aa][Mm][Ee]\\s*>)|(<\\s*[Ii][Ff][Rr][Aa][Mm][Ee].*/\\s*>))|"+
"((<\\s*[Ff][Rr][Aa][Mm][Ee][Ss][Ee][Tt].*>.*<\\s*/.*[Ff][Rr][Aa][Mm][Ee][Ss][Ee][Tt]\\s*>)|(<\\s*[Ff][Rr][Aa][Mm][Ee][Ss][Ee][Tt].*/\\s*>)))";
/*
* No relative URLs
* No cross-domain URLs
*
* Tags ( a,img,form,ilayer )
*/
private final static String XSS_NOT_HTTP_RE =
"([^Hh]|[Hh][^Tt]|[Hh][Tt][^Tt]|[Hh][Tt][Tt][^Pp])*";
private final static String
XSS_NOT_RELATIVE_NOR_XDOMAIN_LINKS_FILTER =
"((<\\s*[Aa].*[Hh][Rr][Ee][Ff]\\s*=.*"+XSS_NOT_HTTP_RE+".*>.*>)|"+
"(<\\s*[Aa].*[Hh][Rr][Ee][Ff]\\s*=.*[Ee]-[Cc][Oo][Aa][Ll][Ee][Ss][Cc][Ee].*>.*>))";
/*
* handle img|ilayer src attributes
*/
private final static String XSS_NOT_RELATIVE_NOR_XDOMAIN_SRC_FILTER
=
"((<\\s*[Ii]([Mm][Gg]|[Ll][Aa][Yy][Ee][Rr]).*[Ss][Rr][Cc]\\s*=.*"+XSS_NOT_HTTP_RE+".*>.*>)|"+
"(<\\s*[Ii]([Mm][Gg]|[Ll][Aa][Yy][Ee][Rr]).*[Ss][Rr][Cc]\\s*=.*[Ee]-[Cc][Oo][Aa][Ll][Ee][Ss][Cc][Ee].*>.*>))";
/*
* form tags allowed, but action cannot be relative or xdomain
*/
private final static String XSS_FORMS_FILTER =
"((<\\s*[Ff][Oo][Rr][Mm].*[Aa][Cc][Tt][Ii][Oo][Nn]\\s*=.*"+XSS_NOT_HTTP_RE+".*>.*<\\s*/\\s*[Ff][Oo][Rr][Mm]\\s*>)|"+
"(<\\s*[Ff][Oo][Rr][Mm].*[Aa][Cc][Tt][Ii][Oo][Nn]\\s*=.*[Ee]-[Cc][Oo][Aa][Ll][Ee][Ss][Cc][Ee].*>.*<\\s*/\\s*[Ff][Oo][Rr][Mm]\\s*>))";
/*
* target attributes need to be replaced with target='_blank'
*/
private final static String XSS_TARGET_ATTRIBUTES_FILTER =
"\\s*[Tt][Aa][Rr][Gg][Ee][Tt]\\s*=\\s*((\'.*\')|(\".*\")|(_.*\\s*))";
private final static String BLANK_TARGET = " target=_blank ";
private String filterForHTMLRedisplay(String html){
String filtered = null;
try{
RE reObjects = new RE(FormUtils.XSS_BIG_OBJECTS_FILTER);
filtered = reObjects.subst(html," ");
RE reTags = new RE(FormUtils.XSS_BIG_TAGS_FILTER);
filtered = reTags.subst(filtered," ");
RE reLinks = new
RE(FormUtils.XSS_NOT_RELATIVE_NOR_XDOMAIN_LINKS_FILTER);
filtered = reLinks.subst(filtered," ");
RE reSrc = new
RE(FormUtils.XSS_NOT_RELATIVE_NOR_XDOMAIN_SRC_FILTER);
filtered = reSrc.subst(filtered," ");
RE reForms = new RE(FormUtils.XSS_FORMS_FILTER);
filtered = reForms.subst(filtered," ");
RE reTarget = new RE(FormUtils.XSS_TARGET_ATTRIBUTES_FILTER);
filtered = reTarget.subst(filtered,FormUtils.BLANK_TARGET);
}catch(Exception e){
if(DEBUG){
System.out.println("\nFormUtils.filterForHTMLRedisplay:
"+e.getMessage()+"\n");
}
}
if(filtered==null){
return ("");
}else{
return ("\n<!--NO_EVAL-->\n\n"+filtered);
}
}
Again, I did most of this tonight so I haven't even ran it yet.
But I'd love some feedback if I'm fundamentally wrong.
Oh, the <!--NO_EVAL--> thing is so my AJAX execScript function knows not to
eval() any of this, just incase my REs don't catch everything.
-Joe
rapsy wrote:
Hi All,
I am trying to find a best solution to prevent Cross site scripting attacks.
I wrote a method to filter out all the bad characters. But my questions is
where should I call this method?
AT the form level, in setters method r action level or use a filter.
I think filter is a good option but I am not sure how to implement that.
Any help is appreciated!
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]