Hi folks,
Iam looking for all your valuable suggestions for avoiding a vunerbility through form data in a web application.
Which characters needs to be encoded to avoid such injection attacks as part of html entity encoding?.Injection of which chars into our form data will prone to HTML Injections?
As of now we are vaidating \",/,\,:,*,?,<,>,|,;,%,#,~ characters from user input into the form input fields of our web application.Also we have implemented encoding methodology to encode {"<",">","\'","&"} to {"<",""",">","&"} where ever we allowed these characters from user input into our application form fields.Does it requires to enhance out encoding methodology to any other chars to get rid of any vulnerbility situation?
Please update me with your valuable suggestions ASAP.
Thanks & regards,
Sureshbabu
views:
34answers:
3
A:
Basically it's enough to escape <>&" to their corresponding html entities, but there's some complicated attacks that includes some characters patterns that makes the browser switch to another encoding, in which the attacker have encoded the attack string.
Since it's complicated, there's some libraries that are constantly updated to do this job the best way possible, one of them is HTML Purifier (for php).
aularon
2010-08-23 10:26:33
A:
Thank you Pekka for you response. Ours is j2ee application deployed in jboss.
suresh
2010-08-26 10:17:45
A:
Try Apache Commons - Lang: http://commons.apache.org/lang/api-release/index.html
The Class StringEscapeUtils provide a method for your Problem. http://commons.apache.org/lang/api-release/org/apache/commons/lang/StringEscapeUtils.html
ckuetbach
2010-10-22 10:57:41