I need to fix XSS issues in my application. Now I am new to JSON and XSS. I think of two ways attacks can happen - first is through html input controls (text boxe/area etc) or through request parameters which are visible in the url (GET). Please suggest if i am missing something here?
I am thinking to use AntiSamy (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project). I am thinking of creating a custom tag which would contain the value of html controls e.g.
<input type="text" NAME="name" value="<mytag:xssclean><c:out value= escapeXml="false"/></mytag:xssclean>
this tag class would actually use antisamy to scan the html content. will this take care of encoding any malicious javascript content entered into text box/area before sending those parameters to controller classes and then eventually to database? Or would it only encode the content which is coming from controller classes to get rendered on jsp?
Is this the right approach? When would i need to validate on the java side (controller classes by direct validation using antisamy) versus on jsp (with new tag)?
Additionally I have many jsp's which do not have direct form fields with html controls but their struture is created dynamically and jason string is given to the jsp. jsp would simply have : where 'value' would contain the final jason to be rendered on html (including html fields). Do we need to apply XSS solution using antisamy on jason strings or jason data is already safe from XSS attacks and the thing like are already present as text in jason? where should i resolve this issue for json cases?
Related
I know that we can use the <form action="location" method=POST(or GET)> tag to send data back to the server by giving it a action and method attribute. My question is, what other HTML tags let you do the same(let you send user input back to the server)? and can we specify the method="GET or POST" and action attribute in other tags or can they only be used with the tag.
The <form> element is the de-facto element to send data to a web server (via the attributes that you mentioned as well as all of the other child input-related elements within the form).
Outside of the pure-HTML space, the options expand quite a bit in terms of the flexibility for how your client can interact with the server (e.g. leveraging AJAX, the Fetch API, etc.) by reading forms, arbitrary elements, and more.
I am working on a SpringBoot based MVC application which uses mongoDB to store the data. I am using thymeleaf as the template engine. In one of the scenarios, the user needs to fill a form which is then displayed on some view.
The problem I am facing is that the user can use html tags to format the data while writing in the textArea of the form (code snippets, tabular format etc). But when I am displaying that text, the html is not being parsed and is displayed as is.
For Ex: <b>String</b> should be displayed as String but is being displayed as <b>String</b> only. When I check the source code of the page, the html tags are displayed as encoded i.e. < is showing as < ; etc and hence the parsing is not happening.
Can someone please help
You can output unescaped text with th:utext. From the official turorial
If we want Thymeleaf to respect our XHTML tags and not escape them, we will have to use a different attribute: th:utext (for “unescaped text”):
<p th:utext="#{home.welcome}">Welcome to our grocery store!</p>
The tutorial assumes that home.welcome is a string with html-tags:
home.welcome=Welcome to our <b>fantastic</b> grocery store!.
It goes without saying that this needs very careful validation so that only safe (whatever safe is for the particular use case) HTML is stored into the database (and no possibly malicious code like <script/> tags).
Please bare with my ignorance for now as I have just started learning web related programming. So, I have a web project written in MVC that has a login window with Username textbox bound to a property:
#Html.TextBoxFor(model => model.UserName, new {#placeholder = "Username"})
As I understand, Razor automatically html encodes input to help preventing cross-script attacks. However, when I test username with a javascript I get an exception from MVC:
A potentially dangerous Request.Form value was detected from the
client (UserName="...hp?name_1=code
Which makes me think that the input is NOT html encoded. My idea was to resolve this issue with html encoding/decoding but looks like I am not getting this whole idea right. Could someone explain?
NOTE: one of SO's related posts provides an unsecured solution but it is not an option for me to simply allow html.
It is not HTML encoded, that is correct. You will have to do the HTML encoding in the Action that form posts back to.
Also, you will need to add [ValidateInput(false)] attribute just about your action.
Classic problem. Want to see html rendered but I'm seeing text in the browser. Whether I tell handlebars js to decode it or not in template ( three curly braces vs two - {{{myHtmlData}}} vs {{myHtmlData}} ) doesn't get me there. Something about the JSON being returned via the model.fetch() has this html data wrapped up in such a way that it is resistant to the notion of displaying as HTML. It's always considered a string whether encoded or decoded so it always displays as text.
Is this just something backbone isn't meant to do?
The technologies involved here are:
backbone.marionette
handlebars.js
.NET Web API
Your data is being escaped automatically. It's a good thing, but since you're sure the data is a safe HTML. Use {{{}}} as in this other question Insert html in a handlebar template without escaping .
How can I render JSF tags like HTML tags?
For example I have some html code in a string field:
<pre>String code = "example <br/> example";</pre>
If I use
<pre><h:outputText value="#{bean.code}" escape="false"/></pre>
I will get
<pre>example
example</pre>
Now I want to render jsf component in the same way. For example:
<pre>String code = '<h:button value="something" action="something"/>';</pre>
But it will be rendered as it is. As I think it must be translated first by JSF servlet to html tags. How could I render JSF controlls in that way? I've got texts containing lots of JSF controls (articles) stored in a database and I need to easy render JSF controlls from that.
This is a very bad idea. The JSF tags has to go in a Facelet file and the text has to go in DB. You should not manually add JSF tags to the text before storing in DB. You should do it in the Facelet file while displaying text from DB. That's how the "V" of MVC is supposed to work.
If you really insist to do so (this is prone to security attacks and you have to do a lot of validation to prevent that), then best what you could do is to create a Facelets ResourceResolver which gets the data from the DB, saves it as a Facelet file in memory or on disk and returns the URL to it.