I am developing a web application and am facing some security issues.
In my application, users can send messages and see others (message board, for example, an application). I check all form fields that users can submit to my application.
There are some very simple fields, such as "nick name", which can be 6-10 alphabetic characters or the time the message was sent, which is sent to users as a string, and then (when users request messages, "younger" or "older" than date). I am analyzing this with SimpleDateFormat (I am developing in java, but my question is not only related to java).
The big problem is the message box. I cannot limit it to alphabetic characters only (upper or lower case), because I have to deal with some commonly used characters such as ",", /, {,}, etc. (Users will not be satisfied if the system doesn't allow them to use these things)
According to this http://ha.ckers.org/xss.html there are many ways to "hack" my site. But I wonder if I can do this to prevent this? Not all, because there is no 100% protection, but I would like the solution to be able to protect my site.
I use server-side servlets and client-side jQuery. My application is "full" AJAX, so users open 1 JSP, then all data is loaded and displayed jQuery using JSON. (yes, I know that these are not "non-javascript users", but this is 2010, right? :-)) I know that checking the front end is not enough. I would like to use verification on 3 layers: - 1. front end, javascript check the data, then send to the server - 2. server side, the same check if there is something that should not be (due to javascript on the side client), I am a BAN user 3. if there is something that I could not catch earlier, the handler processes and processes accordingly
Is there a solution out of the box, especially for Java? Or another solution that I can use?