How to prevent XSS vulnerability with Struts
Question
We need to add anti-XSS support in our Struts application. Most specifically the architect requires that all user input must be "sanitized" before storing in DB. As I don't want to reinvent the square wheel, which Java library can I use for this ? And where to put it ? Ideally it should be configurable (which input fields to check, not all of them in request) and fast. My first thought is Struts Validator.
Thanks in advance Lluis
2 answers
solution1
3 2009-05-29 18:53:29
I recommend you look into OWASP's ESAPI project . It has been under development for over a year, and is approaching its 2.0 release.
For escaping values stored in the database, check out the Encoder.encodeForSQL() method ( reference implementation ).
For input validation, check out the Validator ( reference implementation ).
Note: my understanding is that the functionality provided by older projects such as Stinger and CSRFGuard is being included in ESAPI.
solution2
2 2009-05-05 16:24:24
If you seach google for XSS Java Filter, you'll come up with many open source solutions, such as this one .
You could also look at the OWASP validation project .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.