How to fix XSS vulnerability

Question

How to fix XSS vulnerability

We use fortify to scan the Java source code and complain about the error below:

Method abc() sends unvalidated data to a web browser on line 200, which can result in the browser executing malicious code.

We have below code in line 200:

 <a href="<%= Util.getProduct(request) %>">Product</a>

And Util.java hsa below code in getProduct method:

 String prod = request.getParameter("prod");

Can someone tell me how to fix this XSS vulnerability?

Thanks!

+4

java jsp fortify

Mike Nov 10 '11 at 2:18

source share

2 answers

If you do not have JSTL for this website, you can fix the problem by making sure that you only print valid products:

 public String getProduct( String prod ) throws InputValidationException { if ( prod.equals( "myProduct1" ) || prod.equals( "myProduct2" ) || prod.equals( "myProduct3" ) // etc. ) { return "/foo/page.jsp?product=" + safeProduct; } else { throw new InputValidationException( "Invalid product key provided." ); } }

+1

Douglas held Jan 20 '12 at 16:12

source share

Matt ball · Accepted Answer · 2011-11-10T02:22:21+0000

You need to avoid the output of Util.getProduct(request) . This is usually done using JSTL and the <c:out> and EL:

 <a href="<c:out value="${Util.getProduct(request)}"/>" class="left_nav_link">Product</a>

NB you will have to use a fairly modern implementation of EL (according to JSTL or JSP 2.0 EL for getter with argument and Parameters in EL methods ) to pass the argument to getter method.

Since the code in your question contains scriptlets, I strongly suggest you read How to avoid Java code in JSP files? the question covers the reasons for using JSTL + EL instead of scripts, as well as some information about what these two abbreviations actually refer to.

How to fix XSS vulnerability

More articles: