In my java app I'm preventing XSS attacks. I want to encode URL and hidden field paramaters in the HttpServletRequest objects I have a handle on.
How would I go about doing this?
A:
To properly display user-entered data on an HTML page, you simply need to ensure that any special HTML characters are properly encoded as entities, via String#replace or similar. The good news is that there is very little you need to encode (for this purpose):
str = str.replace("&", "&").replace("<", "<");
You can also replace > if you like, but there's no need to.
This isn't only because of XSS, but also just so that characters show up properly. You may also want to handle ensuring that characters outside the common latin set are turned into appropriate entities, to protect against charset issues (UTF-8 vs. Windows-1252, etc.).
T.J. Crowder
2010-02-23 15:41:40
A:
You can use StringEscapeUtils from the library Apache Jakarta Commons Lang
http://www.jdocs.com/lang/2.1/org/apache/commons/lang/StringEscapeUtils.html
Mike
2010-02-23 18:58:50
+1
A:
Don't do that. You're making it unnecessarily more complicated. Just escape it during display only. See my answer in your other topic: http://stackoverflow.com/questions/2333586/java-5-html-escaping-to-prevent-xss/2333900#2333900
BalusC
2010-02-25 13:03:42