XSS : input validation from server side

Question

I have an issue with a Cross-Site Scripting (XSS) vulnerability with my application. I have mutiple forms where the user can submit data which will be stored in database and displayed later in a jsp page. I discovered that this application isn't sufficiently protected and a user can submit malicious code which will fire an XSS attack.

I need to validate the user input from the server side after the submission of the form. Because in client side the data is displayed using a table library which will render an html content (I have no control over this library). I found a nice library in this link (https://appsec-labs.com/portal/xss-java-secure-coding/) but it concerns only the client side.

How can I do to validate these input data ? whether it is an html or a javscript code or what else.

Thanks

Answer 1

Essentially you need to substitute HTML special characters like < with their HTML entities like <.

In JSP you can protect against this using JSTL tag or fn:escapeXml(). There is another answer that covers that here. In PHP you can try using the htmlspecialchars function.

Also be careful of SQL injection and CSRF attacks. The OWASP Top Ten outlines some common vulnerabilities.

Answer 2

The right way to address this would be to fix this library (which you have no control over) or to replace it with something better. The flaw is in the library, not in your code. XSS vulnerabilities exist because of rendering code which inserts data in unsafe locations and/or does not properly escape its output.

This being said, it might be possible to to secure your application without fixing/replacing the library. Or it might not. It largely depends on where the library inserts the user-supplied data.

If you can restrict the input to a string of alphanumeric characters or better yet a white list of authorized values, you are most likely safe. This means no spaces, no simple quotes or double quotes, no lower-than or greater than signs, no commas, no colons, no semi-colons... If you can't and you have no control over the rendering code as seems to be the case, then all bets are off.

Probably, you'll get a better understanding of the issue by reading this: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet