Hello,
We need to add anti-XSS support in our Struts application. Most specifically the architect requires that all user input must be "sanitized" before storing in DB. As I don't want to reinvent the square wheel, which Java library can I use for this ? And where to put it ? Ideally it should be configurable (which input fields to check, not all of them in request) and fast. My first thought is Struts Validator.
Thanks in advance Lluis
If you seach google for XSS Java Filter, you'll come up with many open source solutions, such as this one.
You could also look at the OWASP validation project.
I recommend you look into OWASP's ESAPI project. It has been under development for over a year, and is approaching its 2.0 release.
For escaping values stored in the database, check out the Encoder.encodeForSQL() method (reference implementation).
For input validation, check out the Validator (reference implementation).
Note: my understanding is that the functionality provided by older projects such as Stinger and CSRFGuard is being included in ESAPI.