Preventing Cross-site scripting attacks in Spring

[ashanair_g]

Hello,

I am looking to add a some strict cross-site scripting rules to my application which is based on Spring. I added the recommended html 'defaultHtmlEscape' to true and used the <c:out> tag, but there are still some things we would like to prevent. I decided to use the java html sanitizer from https://www.owasp.org/index.php/OWAS...itizer_Project . This will require me to call the sanitizing function every where a parameter is read, which is changes in a lot of places. Is there a central place I can do this? Perhaps, a class through which all the parameters are parsed? I saw that the NamedParameterUtils is used internally in Spring to parse the parameters. Is there a way to extend it?

I also tried the XSS filter from http://www.servletsuite.com/servlets/xssflt.htm, but it does not satisfy all our security requirements.

Is there any other way of doing this in Spring?

Any pointers are greatly appreciated.

thanks,

Asha

[Marten Deinum]

Instead of rolling your own I suggest you take a look at HDIV which integrates with spring 3.1 (due to some new hooks, older versions need some overriding of taglibs if I recall correctly). That has out-of-the-box support for XSS, CSRF, Data Integrity Checks etc.