...
This noncompliant code example uses the MVC concept of the Java EE based Spring Framework to display data to the user without encoding or escaping it. Since the data is sent to a web browser, then the code is subject to both HTML injection and XSS attacks.
| Code Block | ||
|---|---|---|
| ||
@RequestMapping("/getnotifications.htm")
public ModelAndView getNotifications(HttpServletRequest request, HttpServletResponse response) {
ModelAndView mv = new ModelAndView();
try {
UserInfo userDetails = getUserInfo();
List<Map<String,Object>> list = new ArrayList<Map<String,Object>>();
List<Notification> notificationList = notificationService
NotificationService.getNotificationsForUserId(userDetails.getPersonId());
for (Notification notification: notificationList) {
Map<String,Object>map = new HashMap<String,Object>();
map.put("id",notification.getId());
map.put("message", notification.getMessage());
list.add(map);
}
mv.addObject("Notifications",list);
}
catch(Throwable t){
// log to file and handle
}
return mv;
}
|
...
| Code Block | ||
|---|---|---|
| ||
public class ValidateOutput {
// Allows only alphanumeric characters and spaces
private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");
// Validates and encodes the input field based on a whitelist
private String validate(String name, String input) throws ValidationException {
String canonical = normalize(input);
if (!pattern.matcher(canonical).matches()) {
throw new ValidationException("Improper format in " + name + " field");
}
// Performs output encoding for non valid characters
canonical = HTMLEntityEncode(canonical);
return canonical;
}
// Normalizes to known instances
private String normalize(String input) {
String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
return canonical;
}
// Encodes non valid data
public static String HTMLEntityEncode(String input) {
StringBuffer sb = new StringBuffer();
for (int i = 0; i < input.length(); i++) {
char ch = input.charAt(i);
if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
sb.append(ch);
} else {
sb.append("&#" + (int)ch + ";");
}
}
return sb.toString();
}
}
// // description and input are String variables containing values obtained from a database
// description = "description" and input = "2 items available"
public static void display(String description, String input) throws ValidationException...
@RequestMapping("/getnotifications.htm")
public ModelAndView getNotifications(HttpServletRequest request, HttpServletResponse response) {
ValidateOutput vo = new ValidateOutput();
ModelAndView mv = new ModelAndView();
try {
UserInfo userDetails = getUserInfo();
List<Map<String,Object>> list = new ArrayList<Map<String,Object>>();
List<Notification> notificationList =
NotificationService.getNotificationsForUserId(userDetails.getPersonId());
for (Notification notification: notificationList) {
ValidateOutput voMap<String,Object>map = new ValidateOutput( HashMap<String,Object>();
String id = vo.validate( "id" ,notification.getId());
map.put("id", id);
map.put("message", vo.validate(description, input);
// Pass to another system or display to the user
}
}
id, notification.getMessage()));
list.add(map);
}
mv.addObject("Notifications",list);
}
catch(Throwable t){
// log to file and handle
}
return mv;
}
|
Also, see See, also, the method weblogic.servlet.security.Utils.encodeXSS() for more information on preventing XSS attacks.
Applicability
Failure to encode or escape output before it is displayed or passed across a trust boundary can result in the execution of arbitrary code.
...