通过替换所有方括号字符来防止Javascript XSS

Question

I'm using MongoDB for backend, which makes me believe I shouldn't be worried about XSS in my DB.

For the "frontend" I'm generating pages via JSP. Now, I'm religiously escaping user-generated content (which should be plain text - no Javascript or HTML tags), but I don't trust myself 100%.

After reading some pointers about XSS, I'm wondering whether the following hack would fail-proof my website.

When consuming user-generated input on the server side, I want to replace all the brackets in user-generated content , eg () by [] . And I want to replace all the <> symbols by: single left-pointing angle quotation mark: ‹ single right-pointing angle quotation mark: ›

Now, I'm assuming that without () and <> it's pretty much impossible to write a piece of JavaScript XSS.

Will this hack work or am I missing something?

Answer 1

You've stated or alluded to the following in the comments or question above, paraphrased:

• Tainted data is interpolated in a div data state context, eg: <div> tainted data here </div>
• Tainted data is interpolated in a nested context: JavaScript single/double-quoted → script data state: <script>$('#someid').populate($.parseJSON('<%=StringEscapeUtils.escapeEcmaScript‌​(jsonString)%>'));</script>
• You use Apache Commons JavaScript string escaper StringEscapeUtils.escapeEcmaScript‌​ for the aforementioned JavaScript contexts
• You will filter out < and > characters

I don't see any way for XSS to occur given the above. If you do not escape the < and > then your code might be susceptible to some weirdness regarding script data escape states. That weirdness could possibly lead to an XSS.

Instead of filtering, I recommend escaping the data using the Coverity Security Library Escape.jsString method, which escapes < and > . (Full disclosure: I worked at Coverity and committed to that library.)