Ran into some issues on some of our Java sites today and needed a quick fix to protect the sites from malicious Cross Site Scripting (XSS) attempts. If you're not aware of what XSS is and have websites that have sensitive user data, you may want to read up, you're probably vulnerable, which means your users are vulnerable. I'm not claiming this is a perfect solution, but it was easy to implement and corrected the vulnerabilities with form and url injection. We basically have a Servlet Filter that's going to intercept every request sent to the web application and then we use an HttpServletRequestWrapper to wrap and override the getParameter methods and clean any potential script injection.
Here's the Filter:
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class CrossScriptingFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);
}
}
Here's the wrapper:
package
com.greatwebguy.filter;
import
javax.servlet.http.HttpServletRequest;
import
javax.servlet.http.HttpServletRequestWrapper;
public
final
class
RequestWrapper
extends
HttpServletRequestWrapper {
public
RequestWrapper(HttpServletRequest servletRequest) {
super
(servletRequest);
}
public
String[] getParameterValues(String parameter) {
String[] values =
super
.getParameterValues(parameter);
if
(values==
null
) {
return
null
;
}
int
count = values.length;
String[] encodedValues =
new
String[count];
for
(
int
i =
0
; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return
encodedValues;
}
public
String getParameter(String parameter) {
String value =
super
.getParameter(parameter);
if
(value ==
null
) {
return
null
;
}
return
cleanXSS(value);
}
public
String getHeader(String name) {
String value =
super
.getHeader(name);
if
(value ==
null
)
return
null
;
return
cleanXSS(value);
}
private
String cleanXSS(String value) {
//You'll need to remove the spaces from the html entities below
value = value.replaceAll(
"<"
,
"& lt;"
).replaceAll(
">"
,
"& gt;"
);
value = value.replaceAll(
"\\("
,
"& #40;"
).replaceAll(
"\\)"
,
"& #41;"
);
value = value.replaceAll(
"'"
,
"& #39;"
);
value = value.replaceAll(
"eval\\((.*)\\)"
,
""
);
value = value.replaceAll(
"[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']"
,
"\"\""
);
value = value.replaceAll(
"script"
,
""
);
return
value;
}
}
Add this to the top of your web.xml:
< filter > < filter-name >XSS</ filter-name > < display-name >XSS</ display-name > < description ></ description > < filter-class >com.greatwebguy.filter.CrossScriptingFilter</ filter-class > </ filter > < filter-mapping > < filter-name >XSS</ filter-name > < url-pattern >/*</ url-pattern > </ filter-mapping > |
I'm sure the cleanXSS replacements aren't the most efficient way of doing this, you could replace it StringEscapeUtils.escapeHtml from commons lang to simplify it a little, it's up to you, it all depends on what your site is doing and whether it's going to be a pain having all the html escaped, you could also adjust the url-pattern of the filter to be more specific to your application urls, so that everything under your app isn't running through the filter.
Some things to be aware of with this approach, you'll need to account for what you've encoded or in some cases you'll end up with weird characters in your database and possibly in validation of your input boxes. Some would recommend a more positive validation rather than negative validation and only allow a certain range of characters, it's up to you, but it is something to think about.
refrence:http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/