All geek questions in one place

How do you avoid HTML attribute values ​​in Java without the Owasp library?

I use Apache StringEscapeUtils for HTML objects, but if you want to avoid HTML attribute values, is there a standard way to do this? I assume that using the escapeHtml function escapeHtml not reduce it, because otherwise, why would the Owasp Encoder Interface have two different ways to handle this?

Does anyone know what is involved with escaping HTML attributes and entities and what to do with attribute encoding if you don't have an Owasp library?

+4
source share
1 answer

This seems to be the No. 2 Owasp XSS Prevention Cheat Sheet . Note the bit where it says:

Correctly quoted attributes can only be escaped by the appropriate quote.

Therefore, I guess so long as the attributes are correctly bounded with double or single quotes and you escape these (ie double quote (") becomes & quot; and single quote (') becomes & # x27; (or & # 39;)) then you should be ok. Note that Apache StringEscapeUtils.escapeHtml will be insufficient for this task since it does not escape the single quote ('); you should use the String replaceAll method to do this.

Otherwise, if the attribute is written: <div attr=some_value> , you need to follow the recommendations on this page and ..

print all characters with ASCII values ​​less than 256 using & #xHH; format (or named object, if available) to prevent the attribute

Not sure if this is a standard implementation other than Owasp. However, I suppose it’s good practice not to write attributes this way anyway!

Please note that this is only valid when entering standard attribute values, if the attribute is href or some kind of JavaScript handler, then this is a different story. See http://ha.ckers.org/xss.html for examples of possible XSS script attacks that may arise from insecure code inside event handler attributes.

+7
source

Source: https://habr.com/ru/post/1399161/

More articles:


All Articles