How to filter out all non-word characters from user input in Java

views:

316

answers:

How to filter out all non-word characters from user input in Java

I'm trying to filter out all possibilities of XSS from user name input while still allowing for foreign names to be inputted.

What is the best way to white-list all word-characters in multiple languages (also Chinese and Japanese and Russian)?

Is this possible at all? It would be easy to create a blacklist for XSS with "<>><" but then the hackers could work around this.

+3 A:

I think you may be approaching the problem from the wrong direction.

Typically, preventing XSS vulns is a case of ensuring that any user-generated content that you display on your website is properly escaped.

That way you ensure that what is displayed is exactly what the user entered, without having the risk of your whitelist inadvertently letting a few bad cases through.

Cyphus 2009-06-01 12:02:04

From what I've been reading I've gotten the impression that you should have a very strict whitelist, since the hackers will find ways around your blacklists (e.g http://ha.ckers.org/xss.html ) However, in this case I want a whitelist that would not limit input to just US (or Western European) ASCII, but would at the same time be "completely" XSS vulnerability free.

tksu 2009-06-01 12:15:35

You're right to be paranoid of course, but I believe you may be being *too* paranoid.If you don't encode every character of user-inputted data (i.e. turn it into %XX character codes), then there is always the possibility that you've missed a possible vulnerability, so if you want 100% assurance that what you output is safe, you could always just encode them all.

Cyphus 2009-06-01 12:33:42

ansaurus

tags:

views:

answers:

How to filter out all non-word characters from user input in Java

related questions