Remove HTML from user input

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Remove HTML from user input

Adam Stokar
Hi everyone,

Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks?  I've googled with no success.

Thanks,

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Remove HTML from user input

Mike McNally-3
XSS is part of a wider class of attacks (like SQL injection) that are
more *output* problems than input problems. There are solutions in the
JSP world for escaping content in HTML/XML contexts, just as there are
solutions for protecting queries from user-supplied data in the SQL
world.

On Tue, Oct 14, 2014 at 3:53 PM, Adam Stokar <[hidden email]> wrote:

> Hi everyone,
>
> Does Stripes have an easy way to remove HTML from user input to prevent XSS
> attacks?  I've googled with no success.
>
> Thanks,
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Stripes-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>



--
Turtle, turtle, on the ground,
Pink and shiny, turn around.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Remove HTML from user input

Grzegorz Krugły
In reply to this post by Adam Stokar
I've been using this one https://github.com/StripesFramework/stripes-xss 
quite successfully; I have it modified a bit to serve more complex use
case of having more relaxed rules for some URL-field name combinations
(e.g. those that I KNOW have CKEditor on them).

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Remove HTML from user input

Rusty Wright-2
In reply to this post by Adam Stokar

On Tue, Oct 14, 2014 at 1:53 PM, Adam Stokar <[hidden email]> wrote:
Hi everyone,

Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks?  I've googled with no success.

Thanks,

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Remove HTML from user input

VANKEISBELCK Remi
In reply to this post by Adam Stokar
Hi, 

I guess you can validate whatever you want by providing your own ActionBeanPropertyBinder :
net.sourceforge.stripes.controller.ActionBeanPropertyBinder

I think it can be done very easily by overriding a single method in there, maybe :
net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder#bind(net.sourceforge.stripes.action.ActionBean, java.lang.String, java.lang.Object)

If the value are is a String, then check for XSS, and sanitize the String before setting the bean prop if needed.

When you output anything in JSP, you should be safe using jstl's <c:out> : it escapes Xml by default.

Cheers

Rémi


2014-10-14 22:53 GMT+02:00 Adam Stokar <[hidden email]>:
Hi everyone,

Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks?  I've googled with no success.

Thanks,

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users



------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users
Reply | Threaded
Open this post in threaded view
|

Re: Remove HTML from user input

Mike McNally-3
It's true that <c:out> or ${fn:escapeXml(whatever)} offers protection
against XSS attacks involving injected HTML/XML markup, but that's not
really enough on the client side. If user-tainted content is emitted
into a JavaScript context, then it has to be protected differently
(most effectively, with a JSON serializer).


On Wed, Oct 15, 2014 at 3:21 AM, VANKEISBELCK Remi <[hidden email]> wrote:

> Hi,
>
> I guess you can validate whatever you want by providing your own
> ActionBeanPropertyBinder :
> net.sourceforge.stripes.controller.ActionBeanPropertyBinder
>
> I think it can be done very easily by overriding a single method in there,
> maybe :
> net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder#bind(net.sourceforge.stripes.action.ActionBean,
> java.lang.String, java.lang.Object)
>
> If the value are is a String, then check for XSS, and sanitize the String
> before setting the bean prop if needed.
>
> When you output anything in JSP, you should be safe using jstl's <c:out> :
> it escapes Xml by default.
>
> Cheers
>
> Rémi
>
>
> 2014-10-14 22:53 GMT+02:00 Adam Stokar <[hidden email]>:
>>
>> Hi everyone,
>>
>> Does Stripes have an easy way to remove HTML from user input to prevent
>> XSS attacks?  I've googled with no success.
>>
>> Thanks,
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://p.sf.net/sfu/Zoho
>> _______________________________________________
>> Stripes-users mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/stripes-users
>>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Stripes-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>



--
Turtle, turtle, on the ground,
Pink and shiny, turn around.

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Stripes-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/stripes-users