Announcement Announcement Module
Collapse
No announcement yet.
Cross Site Scripting (XSS) filtering? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cross Site Scripting (XSS) filtering?

    Has anyone developed a cross site scripting filter/interceptor for their webapp using Acegi? Does this even make sense? I have used the BadInputFilterValve from the O'Reilly http://www.oreilly.de/catalog/tomcat/ Tomcat book. It works great but it seemed like a filter would be more general.

  • #2
    No, Acegi Security doesn't have a XSS filter.

    I am not sure how you could do it at a filter level. http://www.cgisecurity.com/articles/...q.shtml#vendor discusses the conversion of potentially malicious characters from the output stream, but how would that filter decide which are valid (ie administrator/developer defined) versus invalid (malicious user defined)? It would seem more an application-level responsibility to filter at the point user content submissions are accepted.

    Comment


    • #3
      Thanks for the quick response Ben. I'll keep pondering this and see how I can come up with a more neutral solution.

      Comment


      • #4
        After testing my app, at appears that Spring is escaping the html markup that might make a page vulnerable. I'm not sure how/why but I didn't need to apply xss filtering to my spring app to make it work. Any attempt at putting markup into my input fields resulted in the markup being property html escaped! Not so for my older struts app tho :wink:

        As usual, I'm barking up the wrong tree.

        Comment

        Working...
        X