XSS filter to remove all scripts

前端 未结 2 1217
北恋
北恋 2021-01-23 07:54

I am implementing an XSS filter for my web application and also using the ESAPI encoder to sanitise the input.

The patterns I am using are as given below,



        
相关标签:
2条回答
  • 2021-01-23 08:15

    You can combine ESAPI and JSoup to clear out all the XSS vulnerabilities. I would definitely avoid trying to manually write all the regexes when other libraries are built to handle this for you.

    Here is an XSS filter implementation for Jersey 2.x: How to Modify QueryParam and PathParam in Jersey 2

    0 讨论(0)
  • 2021-01-23 08:36

    This isn't the right approach. It's mathematically impossible to write a regex capable of correctly punting XSS. (Regex is "regular" but HTML and Javascript are both context-free grammars.)

    You can however guarantee that when you switch contexts, (hand off a piece of data that is going to be interpreted) that the data is correctly escaped for that context switch. So, when sending data to a browser, escape it for HTML if its being handled as HTML or as Javascript if its being handled by javascript.

    If you DO need to allow HTML/javascript into your application, then you'll want a web-application firewall or a framework like HDIV.

    0 讨论(0)
提交回复
热议问题