XSS filter to remove all scripts

Question

I am implementing an XSS filter for my web application and also using the ESAPI encoder to sanitise the input.

The patterns I am using are as given below,

Answer 1

You can combine ESAPI and JSoup to clear out all the XSS vulnerabilities. I would definitely avoid trying to manually write all the regexes when other libraries are built to handle this for you.

Here is an XSS filter implementation for Jersey 2.x: How to Modify QueryParam and PathParam in Jersey 2

Answer 2

This isn't the right approach. It's mathematically impossible to write a regex capable of correctly punting XSS. (Regex is "regular" but HTML and Javascript are both context-free grammars.)

You can however guarantee that when you switch contexts, (hand off a piece of data that is going to be interpreted) that the data is correctly escaped for that context switch. So, when sending data to a browser, escape it for HTML if its being handled as HTML or as Javascript if its being handled by javascript.

If you DO need to allow HTML/javascript into your application, then you'll want a web-application firewall or a framework like HDIV.