Openxava and Cross Site Scripting (XSS)
Automatic frontend engine for Java
Brought to you by:
javierpaniza
Menu
▾
▴
Hi,
Cross site scripting, better known as XSS, is in fact a subset of HTML injection. XSS is the most prevalent and pernicious web application security issue.
XSS allows attackers to execute script in the victim’s browser, which can hijack user sessions, deface web sites, insert hostile content, conduct phishing attacks, and take over the user’s browser using scripting malware.
There is no Cross Site Scripting (XSS) defense in openxava, and simply you can write a javascript program in any text field.
Please advise what to do with openxava to prevent Cross Site Scripting?
Best Regards
Sami AlSayyed
Hi Sami,
> There is no Cross Site Scripting (XSS) defense in openxava, and simply you can write a > javascript program in any text field.
Yes. And refining OX to prevent XSS is a good contribution.
You can create some scenarios of XSS with OX, and then modifying OX for avoiding them.
After it you can contribute the code.
I think that a little modification in standard formatters of OX is enough for preventing
XSS.
Look at the methods parse and format of MetaProperty, and the classes in the org.openxava.formatters package.
By default, if a formatter exists (look at default-editors.xml) OX use it for converting from HTML to Java and vice versa, otherwise it simply uses the code of MetaProperty.parse and MetaProperty.format.
Talk me about your progress.
Cheers
Javi
Hi Javi,
I have done the following until now:
First:
Add these methods to org.openxava.util.Strings class
/**
* A key function of any application filtering process will be
* the removal of possible dangerous special characters.
* We will replace all these characters by the escape HTML character
*
* @author Sami AlSayyed
* @return new safe string
*/
public static String removeXSS(String notSafeValue) {
if (Is.emptyString(notSafeValue)) {
return "";
}
String newSafeValue = "";
for (int i = 0; i < notSafeValue.length(); i++) {
switch (notSafeValue.charAt(i)) {
case '>' : newSafeValue = newSafeValue + ">"; break;
case '<' : newSafeValue = newSafeValue + "<"; break;
case '\'': newSafeValue = newSafeValue + "'"; break;
case '\"': newSafeValue = newSafeValue + """; break;
default : newSafeValue = newSafeValue + notSafeValue.charAt(i); break;
}
}
return newSafeValue;
}
/**
* @param notSafeValue
* @return Safe Object
*/
public static Object removeXSS(Object notSafeValue) {
if (notSafeValue != null && notSafeValue instanceof String) {
return removeXSS(notSafeValue.toString());
}
return notSafeValue;
}
Second:
In org.openxava.view.View, modify the trySetValue method like this
..
public boolean trySetValue(String name, Object value) throws XavaException {
+ value = Strings.removeXSS(value);
..
..
}
This is what I did and it is working fine, but now I will make some changes after I saw your message.
Regards
Sami AlSayyed
Hi,
the idea of putting the solution in View class has the advantage
of having simple solution in a single point. This is good,
specially if you can manage the XSS for all types.
But, in your code you have:
value = Strings.removeXSS(value);
In this way you are converting all the objets to String type.
This does not work, because a View object can store values of
any Java type, including numbers, dates and custom types.
You must do the XSS filter in 'parse' (conversion from String to Object) point.
Cheers
Javi
Hi Javi,
> In this way you are converting all the objets to String type.
This line of code: value = Strings.removeXSS(value);
will call the second method
public static Object removeXSS(Object notSafeValue) {
if (notSafeValue != null && notSafeValue instanceof String) {
return removeXSS(notSafeValue.toString());
}
return notSafeValue;
}
And this method will check if this object is a String, if not it will return the same object without converting it to String type.
> You must do the XSS filter in 'parse' (conversion from String to Object) point.
Yes, it is better to put it there, because we will not need to check if the Object is a String or not, I will do it and tell you.
Thank you Javi
Regards
Sami AlSayyed
Hi Javi,
I have done some changes on the removeXSS method, I think it is now better.
Now, all XSS will be removed from the String.
/**
* A key function of any application filtering process will be
* the removal of possible dangerous special characters and code scripts.
*
* @author Sami AlSayyed
* @return new safe string
*/
public static String removeXSS(String notSafeValue) {
if (Is.emptyString(notSafeValue)) {
return "";
}
String XSS_REGEXP_PATTERN = "(?i)<[\\s]*/?script.*?>|<[\\s]*/?embed.*?>|<[\\s]*/?object.*?>|<[\\s]*a[\\s]*href[^>]*javascript[\\s]*:[^(^)^>]*[(][^)]*[)][^>]*>[^<]*(<[\\s]*/[\\s]*a[^>]*>)*";
Pattern XSS_PATTERN = Pattern.compile(XSS_REGEXP_PATTERN);
CharSequence sequence = notSafeValue.subSequence(0, notSafeValue.length());
Matcher matcher = XSS_PATTERN.matcher(sequence);
return matcher.replaceAll("");
}
Best Regards
Sami AlSayyed
Hi Sami,
thanks!
Can I add your code in this thread to OpenXava ?
Cheers
Javi
Hi Sami,
What about the case that the developer uses a not String property (byte [])
for storing text data ?
Cheers
Javi
Hi Javi,
> Can I add your code in this thread to OpenXava ?
I will be glad :)
> What about the case that the developer uses a not String property (byte [])
for storing text data ?
Let me check what I can do, I don't have Develpment tools in this PC and I am not working now ;)
Regards
Sami AlSayyed
Hi Sami,
>> Can I add your code in this thread to OpenXava ?
> I will be glad :)
You code is now in OpenXava CVS HEAD, and it will
be available for OX2.2.4.
Also, I will put your name in credits page.
Now, you are part of the OpenXava team.
Cheers
Javi
Hi Javi,
Thank you so much :)
Regards
Sami AlSayyed