[WEB SECURITY] HTMLEncoding in textarea in java

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Tue Sep 9 13:08:32 EDT 2008


Hrm. After looking at your email more closely I am only becoming more confused about your situation.
 
0) I assume you weren't actually calling any encoding or mis-calling it because properly encoded data within textareas won't execute. For paranoia's sake, I just tested in FF2 + IE7.
1) Your code looks like JSP EL and your variable looks like a Struts ActionForm but you talk about "server.encodeHTML." The closest thing to this I know is .NET's Server.HtmlEncode() which does at least the big four (<>&"). What technologies are involved here?
2) Do a "View Source" on an injected page. What are you looking at? Are you sure the problem isn't in another part of the page?
 
Arshan

________________________________

From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com]
Sent: Tue 9/9/2008 12:05 PM
To: mike ; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] HTMLEncoding in textarea in java


Mike,
 
The output method you've chosen, JSP Expression Language (EL), does not encode output automatically. You need to either use another mechanism or encode the value of "userdata" in your action handler before control is forwarded to the JSP.
 
Alternatives:
1) Scriptlet in combination with custom function for HTML-entity encoding:
<% out.println(org.owasp.HTMLEncode(addEditConfigurationForm.getUserData())); %>
 
2) JSP Expression in combination with custom function for HTML-entity encoding:
<%= org.owasp.HTMLEncode(addEditConfigurationForm.getUserData()) %>
 
3) Custom JSP tag that performs HTML-entity encoding:
<bean:write name="addEditConfigurationForm" property="userdata"/>
 
I think most people will agree #3 is the cleanest. That particular JSP tag is in the Struts taglib, and given your form variable's naming convention, I'd guess with high confidence that it should be available in your environment. The OWASP ESAPI project also has tag libraries available specifically for dealing with XSS in many contexts, so I would also check those out.
 
Cheers,
Arshan

________________________________

From: mike [mailto:mike9966 at rediffmail.com]
Sent: Tue 9/9/2008 11:18 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] HTMLEncoding in textarea in java



Hi,

I have an instance where user supplied data initially stored in the database and later displayed back in the <textarea> field to the browser. 

When i try to encode the value using server.encodeHTML, still the script is executing in the browser leading to XSS. 

To give an instance,

<bc:textarea name="userdata" id="userdata" (this,255);"'>${addEditConfigurationForm.userdata}</bc:textarea>

kindly let me know how to implement encoding in the instance to mitigate XSS.

Thanks
Mike 



578x38_banner2.gif <http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.com/signature-default.htm/1050715198@Middle5/2606998_2599290/2602379/1?PARTNER=3&OAS_QUERY=null> 	
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080909/eb350f02/attachment.html>


More information about the websecurity mailing list