How best to sanitize input in Java webapp

Question

We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to make sure the output is not changed for malicious activities. Is there way while sending the output I could check if extra code has been sent. Like suppose there is search input field -- the user gives something like <script>alert("I am here")</script>. Is there anway I could know this is a html tag. If the user appends an extra parameter to a link field, is there like a before and after check I could do for the document to realize there has been a extra link field.

Answer 1

You should always do basic HTML-escaping of data taken from sources like user input or the database that might contain invalid characters. The <c:out> JSP tag does this, for example. That way if the user enters "<script> ..." in a field and you are printing it back again, it will be printed to the HTML as "<script> ...".

Answer 2

Are you trying to protect the database from sql injection attacks?

If so then just use stored procedures or prepared statements to protect the db.

If you know what parameters are allowed to be passed in from the form then just check for those parameters, don't use every parameter that was passed in.

If you use POST instead of GET on the form, and don't react to GET at all, then that will also help, as it will be harder for someone to add parameters.

Also, do a sanity check on every value that you get from a form. Assume that all data that comes from outside your control is suspect until you validate it.

Answer 3

You really should allow users to input as little HTML and/or javascript as possible. One good solution to validating and sanitizing this stuff is to use a ready-made library like OWASP AntiSamy.

Also, take a look at OWASP Enterprise Security API for a collection of security methods that a developer needs to build a secure web application.