TechQA.

How to avoid XSS with this bit of scriplet?

464 views Asked by At

Using Checkmarx, this one page has multiple uses of the "request.getParameterNames()" and is flagged by Checkmarx as "CGI_Reflected_XSS_All_Clients" (Query Name). The page is "error.jsp" so it is a common page that is used across multiple apps in my company. This page gets displayed when an unexpected error occurs. Why this way? who knows, best to not show it and just log it out instead. I'm pretty new to the fixing code being reported as vulnerable by Checkmarx. 

<h3>Request Parameters</h3>
<pre>
<%
   lEnum = request.getParameterNames();
   while(lEnum.hasMoreElements())
   {
      String key = (String)lEnum.nextElement();
      String[] paramValues = request.getParameterValues(key);
      for(int i = 0; i < paramValues.length; i++)
      {
         out.println("  " + key + " : "  + paramValues[i]); 
      }
   }
%>
</pre>
jsp xss checkmarx
Original Q&A
2

There are 2 answers

0
fgb On

The values output to the page need to be escaped for HTML. Replace quotes, brackets, and ampersands with their entities. This can be done with libraries such as Guava like:

Escaper escaper = HtmlEscapers.htmlEscaper();
out.println("  " + escaper.escape(key) + " : " + escaper.escape(paramValues[i]));
0
Neil Nandi On

Use Spring-Web's HtmlUtils.htmlEscape(Variable) to sanitize parameters before passing to method.

Also, you can try

Variable=Variable.replace("'", ""); with it as well.

Use both on parameters before passing to method.

Related Questions in JSP

Related Questions in XSS

Related Questions in CHECKMARX

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions