Cross Site Scripting (XSS) filtering?

**dhainlin** · Jan 30th, 2005, 01:23 PM

Has anyone developed a cross site scripting filter/interceptor for their webapp using Acegi? Does this even make sense? I have used the BadInputFilterValve from the O'Reilly http://www.oreilly.de/catalog/tomcat/ Tomcat book. It works great but it seemed like a filter would be more general.

**Ben Alex** · Jan 30th, 2005, 04:37 PM

No, Acegi Security doesn't have a XSS filter.

I am not sure how you could do it at a filter level. http://www.cgisecurity.com/articles/...q.shtml#vendor discusses the conversion of potentially malicious characters from the output stream, but how would that filter decide which are valid (ie administrator/developer defined) versus invalid (malicious user defined)? It would seem more an application-level responsibility to filter at the point user content submissions are accepted.

**dhainlin** · Jan 30th, 2005, 07:53 PM

Thanks for the quick response Ben. I'll keep pondering this and see how I can come up with a more neutral solution.

**dhainlin** · Jan 31st, 2005, 10:24 AM

After testing my app, at appears that Spring is escaping the html markup that might make a page vulnerable. I'm not sure how/why but I didn't need to apply xss filtering to my spring app to make it work. Any attempt at putting markup into my input fields resulted in the markup being property html escaped! Not so for my older struts app tho :wink:

As usual, I'm barking up the wrong tree.

Thread: Cross Site Scripting (XSS) filtering?

Thread Tools

Display

Cross Site Scripting (XSS) filtering?

Similar Threads

Scripting language for the weblayer.

Filtering and Pageno info in session for master detail pages

How is the Spring web site produced?

bean definition using inline scripting languages?

Posting Permissions