...
This noncompliant code example displays input obtained from a database directly uses the MVC concept of the Java EE based Spring Framework to display some data to the user without performing any output validation or encodingencoding or escaping it.
| Code Block | ||
|---|---|---|
| ||
@RequestMapping("/getnotifications.htm") public class BadOutput { // description and input are String variables containing values obtained from a database // description = "description" and input = "<script> executable code </script>" public static void display(String description, String input) { // Display to the user or pass description and input to another system } ModelAndView getNotifications(HttpServletRequest request, HttpServletResponse response){ ModelAndView mv = new ModelAndView(); try{ UserInfo userDetails = getUserInfo(); List<Map<String,Object>> list = new ArrayList<Map<String,Object>>(); List<Notification> notificationList = notificationService.getNotificationsForUserId( userDetails.getPersonId()); for(Notification notification: notificationList) { Map<String,Object>map = new HashMap<String,Object>(); map.put("id",notification.getId()); map.put( "message", notification.getMessage()); list.add( map); } mv.addObject("Notifications",list); } catch(Throwable t){ // log to file and handle } return mv; } |
Compliant Solution
This compliant solution defines a ValidateOutput class that normalizes the output to a known character set, performs output validation using a white-list and encodes any non-specified data values to enforce a double checking mechanism. Note that required white-listing patterns may vary according to the specific needs of different fields [OWASP 2008].
| Code Block | ||
|---|---|---|
| ||
public class ValidateOutput {
// Allows only alphanumeric characters and spaces
private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");
// Validates and encodes the input field based on a whitelist
private String validate(String name, String input) throws ValidationException {
String canonical = normalize(input);
if(!pattern.matcher(canonical).matches()) {
throw new ValidationException("Improper format in " + name + " field");
}
// Performs output encoding for non valid characters
canonical = HTMLEntityEncode(canonical);
return canonical;
}
// Normalizes to known instances
private String normalize(String input) {
String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
return canonical;
}
// Encodes non valid data
public static String HTMLEntityEncode(String input) {
StringBuffer sb = new StringBuffer();
for (int i = 0; i < input.length(); i++) {
char ch = input.charAt(i);
if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
sb.append(ch);
} else {
sb.append("&#" + (int)ch + ";");
}
}
return sb.toString();
}
// description and input are String variables containing values obtained from a database
// description = "description" and input = "2 items available"
public static void display(String description, String input) throws ValidationException {
ValidateOutput vo = new ValidateOutput();
vo.validate(description, input);
// Pass to another system or display to the user
}
}
|
...
See, also, the method weblogic.servlet.security.Utils.encodeXSS().
Applicability
Failure to encode or escape output before it is displayed or passed across a trust boundary can result in the execution of arbitrary code.
...
Guideline
...
Severity
...
Likelihood
...
Remediation Cost
...
Priority
...
Level
...
IDS50-JG
...
high
...
probable
...
medium
...
P12
...
Related Vulnerabilities
...