Security flaws : How to avert them?

I am in a bit of a pickle :

I have a lot of values which i am setting in a bean in java and then i am getting them in javascript and jsp using scriplets like this :

In My Bean.java :

public void setListValue(String s) {   listValue = s;    }
public String getListValue()       {   return listValue;     } 

Now in my jsp(inside a javascript function) :

input = $input({type:'hidden',id:'ListVal',name:'ListVal',
value: '<%= results.getListValue() %>'});

Sometimes i am using the scriplet code to retrieve parametres in jsp as well.

Normally if a parameter is passed from java file to java file or from jsp file to jsp file , then i use native java encoder and decoder like this :

     EncodedHere = URLEncoder.encode(encodedStr,"UTF-8");
     DecodedHere = URLDecoder.decode(EncodedHere,"UTF-8");

This works flawlessly for those scenarios but if i have set my variables in java and then i try to retrieve them in javascript or jsp like the afore mentioned way , it fails. I have tried the JSTL way as well , but could not make it work, seems JSTL is not suitable to get values in javascript. Now this scriplet has been flagged as security concern by many. Since it's a huge code base it's very difficult to change that as well.

Does some one have any ideas as to avert this security flaw somehow. In other words, is there a way i can encode the variable in java and get the encoded string in jsp and javascript and then decode it ?

Answers


It sounds like your security guys are worried about XSS (cross site scripting) attacks, which means data entered by the user that is re-displayed on a page could have malicious code in it. If that is the case you actually don't want to URL encode the data, you want to XML escape it, i.e replace potentially dangerous characters like < with their corresponding character entity like &lt;. To do this in JSP you can use the <c:out> tag or the fn:escapeXML EL function. This works perfectly fine in javascript code, even if it is a little ugly. In your case it would look something like this:

First escape the javascript before you put it on the request using an escaping library the ESAPI reference implementation:

String jsEscapedValue = ESAPI.encoder().encodeForJavaScript(results.getListValue());
request.setAttribute("listValue", jsEscapedValue);

Then on the page use the <c:out> tag to HTML/XML escape it:

var myJsValue = '<c:out value="${listValue}"/>';

Make sure jstl.jar is on the classpath and be sure to include the correct tag lib at the top of your page.

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>

Need Your Help

Programmatically detecting if an external config file has been read in?

grails grails-config

We use grails.config.locations to pull in (optional) settings from a file external to the app. Is there a good way to detect that this file was loaded, either in Bootstrap.groovy or within Config.g...

how to get all the tags of a repository in directories

git

For example, if I have a repository with tags

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.