63

What should I do to prevent XSS in Spring MVC? Right now I am just putting all places where I output user text into JSTL <c:out> tags or fn:escapeXml() functions, but this seems error prone as I might miss a place.

Is there an easy systematic way to prevent this? Maybe like a filter or something? I'm collecting input by specifying @RequestParam parameters on my controller methods.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Doug
  • 813
  • 1
  • 7
  • 7
  • 2
    See Joel Spolsky's *Making Code Look Wrong* -- http://www.joelonsoftware.com/articles/Wrong.html -- which is about how to deal with this exact problem. – mob Jan 27 '10 at 17:13
  • The title could be comically misread and answered "first, install a JVM into the person's brain". ;) – Svante Jan 31 '10 at 11:23
  • A very similar question can be found here: http://stackoverflow.com/questions/2658922/xss-prevention-in-java – Brad Parks Jul 17 '12 at 13:15
  • 1
    I've written a blog post on how to filter out XSS vulnerabilities for a Jersey REST API. It's easy enough to map this onto a standard Java Filter: http://codehustler.org/jersey-cross-site-scripting-xss-filter-for-java-web-apps/ – Alessandro Giannone May 15 '13 at 13:51

8 Answers8

65

In Spring you can escape the html from JSP pages generated by <form> tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways:

For the entire application in the web.xml file:

<context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
</context-param>

For all forms on a given page in the file itself:

<spring:htmlEscape defaultHtmlEscape="true" />

For each form:

<form:input path="someFormField" htmlEscape="true" />
Brad Parks
  • 66,836
  • 64
  • 257
  • 336
Tendayi Mawushe
  • 25,562
  • 6
  • 51
  • 57
  • 3
    I put in an include file that I include in all my pages, but it doesn't seem to make a difference. Will that tag cause ${param.q} to be escaped? – Doug Jan 27 '10 at 15:50
  • 3
    If you use the resulting strings inside a HTML attribute or a Javascript, `defaultHTMLEscape` is not enough, then use the ``-tag. It seems like defaultHtmlEscape does not escape all html-characters. It escapes e.g. '<' '>' or '&' but double quotation marks `"` were not escaped for me. This can lead to problems if the resulting string is used e.g. in a html-attribute or a javascript. (See also answer by Erlend) – Andreas May 21 '10 at 09:43
  • 5
    I add the context-param to my web.xml but it does not work. – Jack Aug 05 '15 at 02:11
  • 2
    Is it for input encoding or output escaping? – pinkpanther Jul 22 '16 at 06:51
13

I use Hibernate Validator via @Valid for all input objects (binding and @RequestBody json, see https://dzone.com/articles/spring-31-valid-requestbody). So @org.hibernate.validator.constraints.SafeHtml is a good solution for me.

Hibernate SafeHtmlValidator depends on org.jsoup, so it's needed to add one more project dependencies:

<dependency>
    <groupId>org.jsoup</groupId>
    <artifactId>jsoup</artifactId>
    <version>1.10.1</version>
</dependency>

For bean User with field

@NotEmpty
@SafeHtml
protected String name;

for update attempt with value <script>alert(123)</script> in controller

@PutMapping(value = "/{id}", consumes = MediaType.APPLICATION_JSON_VALUE)
public void update(@Valid @RequestBody User user, @PathVariable("id") int id)

or

@PostMapping
public void createOrUpdate(@Valid User user) {

is thrown BindException for binding and MethodArgumentNotValidException for @RequestBody with default message:

name may have unsafe html content

Validator works as well for binding, as before persisting. Apps could be tested at http://topjava.herokuapp.com/

UPDATE: see also comment from @GuyT

CVE-2019-10219 and status of @SafeHtml

We have been made aware of a CVE-2019-10219 related to the @SafeHtml constraint and it was fixed in both 6.0.18.Final and 6.1.0.Final....

However, we came to the conclusion that the @SafeHtml constraint was fragile, highly security-sensitive and depending on an external library that wasn’t designed for this purpose. Having it included in core Hibernate Validator was not a very good idea. That’s why we deprecated it and marked it for removal.There is no magic plan here so our users will have to maintain this constraint themselves

Resume for myself: it is safe and could be used, until solution better be found.

UPDATE: due to remove @SafeHtml/SafeHtmlValidator from hibernate.validator use own NoHtmlValidator, see https://stackoverflow.com/a/68888601/548473

Grigory Kislin
  • 16,647
  • 10
  • 125
  • 197
  • 2
    Please note this is deprecated now due to security issues https://stackoverflow.com/questions/58913428/what-alternatives-are-there-to-hibernate-validators-safehtml-to-validate-strin – GuyT Apr 20 '20 at 08:48
8

Try XSSFilter.

opyate
  • 5,388
  • 1
  • 37
  • 64
Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
  • My application stopped working after configuring for xssflt.jar. As soon as i removed filter and filter mapping from web xml it started working. – Manish Mahajan Apr 19 '14 at 09:50
  • How can I use this in a Maven based project? – Jack Aug 05 '15 at 02:11
  • 1
    it’s not working for form type multipart that means when we sending files with form this filtering is not working, is my query correct? If yes, is there any solution? Or what’s wrong with me – Dhanu K May 21 '18 at 19:35
6

When you are trying to prevent XSS, it's important to think of the context. As an example how and what to escape is very different if you are ouputting data inside a variable in a javascript snippet as opposed to outputting data in an HTML tag or an HTML attribute.

I have an example of this here: http://erlend.oftedal.no/blog/?blogid=91

Also checkout the OWASP XSS Prevention Cheat Sheet: http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

So the short answer is, make sure you escape output like suggested by Tendayi Mawushe, but take special care when you are outputting data in HTML attributes or javascript.

Erlend
  • 4,336
  • 22
  • 25
  • "take special care" = use the ``-tag when you output data in HTML attributes or javascript. (see my comment at Tendayi Mawushe's answer) – Andreas May 21 '10 at 09:45
  • 2
    Well, it's more than just using . Javascript has other control characters than HTML, and can be attacked in different ways, and so needs to be handled using other types of escaping. A simple example:var a = ''; var b = ''; If the input in a is a single backslash, script in b will run. Escaping depends on context. – Erlend May 23 '10 at 22:22
0

How are you collecting user input in the first place? This question / answer may assist if you're using a FormController:

Spring: escaping input when binding to command

Community
  • 1
  • 1
Ben
  • 7,548
  • 31
  • 45
0

Always check manually the methods, tags you use, and make sure that they always escape (once) in the end. Frameworks have many bugs and differences in this aspect.

An overview: http://www.gablog.eu/online/node/91

sibidiba
  • 6,270
  • 7
  • 40
  • 50
0

Instead of relying only on <c:out />, an antixss library should also be used, which will not only encode but also sanitize malicious script in input. One of the best library available is OWASP Antisamy, it's highly flexible and can be configured(using xml policy files) as per requirement.

For e.g. if an application supports only text input then most generic policy file provided by OWASP can be used which sanitizes and removes most of the html tags. Similarly if application support html editors(such as tinymce) which need all kind of html tags, a more flexible policy can be use such as ebay policy file

rjha
  • 111
  • 1
  • 6
-1
**To avoid XSS security threat in spring application**

solution to the XSS issue is to filter all the textfields in the form at the time of submitting the form.

    It needs XML entry in the web.xml file & two simple classes.

        java code :-
        The code for the  first class named CrossScriptingFilter.java is :

        package com.filter;

        import java.io.IOException;
        import javax.servlet.Filter;
        import javax.servlet.FilterChain;
        import javax.servlet.FilterConfig;
        import javax.servlet.ServletException;
        import javax.servlet.ServletRequest;
        import javax.servlet.ServletResponse;
        import javax.servlet.http.HttpServletRequest;
        import org.apache.log4j.Logger;

        public class CrossScriptingFilter implements Filter {
            private static Logger logger = Logger.getLogger(CrossScriptingFilter.class);
            private FilterConfig filterConfig;

            public void init(FilterConfig filterConfig) throws ServletException {
                this.filterConfig = filterConfig;
            }

            public void destroy() {
                this.filterConfig = null;
            }

            public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                throws IOException, ServletException {
                logger.info("Inlter CrossScriptingFilter  ...............");
                chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);
                logger.info("Outlter CrossScriptingFilter ...............");
            }

        }

The code second class named RequestWrapper.java is :

package com.filter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.log4j.Logger;

public final class RequestWrapper extends HttpServletRequestWrapper {
    private static Logger logger = Logger.getLogger(RequestWrapper.class);
    public RequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }

    public String[] getParameterValues(String parameter) {
        logger.info("InarameterValues .. parameter .......");
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = cleanXSS(values[i]);
        }
        return encodedValues;
    }

    public String getParameter(String parameter) {
        logger.info("Inarameter .. parameter .......");
        String value = super.getParameter(parameter);
        if (value == null) {
            return null;
        }
        logger.info("Inarameter RequestWrapper ........ value .......");
        return cleanXSS(value);
    }

    public String getHeader(String name) {
        logger.info("Ineader .. parameter .......");
        String value = super.getHeader(name);
        if (value == null)
            return null;
        logger.info("Ineader RequestWrapper ........... value ....");
        return cleanXSS(value);
    }

    private String cleanXSS(String value) {
        // You'll need to remove the spaces from the html entities below
        logger.info("InnXSS RequestWrapper ..............." + value);
        //value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
        //value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
        //value = value.replaceAll("'", "& #39;");
        value = value.replaceAll("eval\\((.*)\\)", "");
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");

        value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", "");
        value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", "");
        value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", "");
        value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", "");
        //value = value.replaceAll("<script>", "");
        //value = value.replaceAll("</script>", "");
        logger.info("OutnXSS RequestWrapper ........ value ......." + value);
        return value;
    }

The only thing remained is the XML entry in the web.xml file:

        <filter>
        <filter-name>XSS</filter-name>
        <display-name>XSS</display-name>
        <description></description>
        <filter-class>com.filter.CrossScriptingFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>XSS</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

The /* indicates that for every request made from browser, it will call CrossScriptingFilter class. Which will parse all the components/elements came from the request & will replace all the javascript tags put by hacker with empty string i.e

GAURAV KUMAR GUPTA
  • 766
  • 8
  • 10
  • your code is a bad pattern to avoid XSS. You don't need to do à Blacklist with replace approach. You need to encode output to really fight XSS ! – SPoint Oct 19 '18 at 11:51
  • Blacklisting your input like presented in this answer, as @SPoint also said, is a bad approach. You need a two pronged solution: 1 escape out put and 2 whitelist input. Whitelisting restricts what the user is allowed to submit as opposed to blacklisting where you allow anything and hope to clean the input yourself – wi2ard Feb 25 '19 at 10:29