How to avoid Cross Site Scripting (XSS) attacks while using JSF and RichEditor

3
votes

I am using Rich Editor for user input text box on an all-JSF platform. I am trying to avoid XSS attacks on this text field.

The requirement is that

  • the user can enter any character in the text box,
  • the rich editor should display non-encoded values or the editor should not display &lt; for <,
  • Cross-Site-Scripting (XSS) should be avoided.

So the problem is that since we have to display the values correctly, we put escape=false for outputtext, but it then becomes vulnerable to XSS attacks.

I tried using jsoup for filtering the HTML tags but it seems that the input automatically gets encoded and jsoup cannot be used.

So my questions are the following.

  1. Is there a better approach of avoiding XSS attacks for rich editor with escape=false?
  2. It looks like the text input is encoded when it reaches the save phase so I have not been able to filter with jsoup. How does JSF internally work in terms of encoding and decoding the text values. At which point can a script run?
  3. If it happens to be encoded internally just after getting the input do I need to worry about XSS attack?
  4. Also, there is a software Parse and it is being used to intercept a request. Is this a common tool for hacking and how this can be used to have a potential attack and how to avoid it in the present scenario. In specific, does it make any difference if a person intercepts the request as this software does for a normal request?
1
javasecurityjsfxssrichedit
How have you tried jsoup there? Could you provide a brief example?Xtreme Biker

1 Answers

4
votes

You should implement a Content Security Policy on any pages where you output the rich text.

This allows you to effectively stop inline script from being executed by the browser. It is currently supported by modern browsers such as Chrome and Firefox.

This is done by a HTTP response header from your page.

e.g.

Content-Security-Policy: script-src 'self' https://apis.google.com

will stop inline JavaScript from being executed if a user managed to inject it into your page (it will be ignored with a warning), but will allow script tags referencing either your own server or https://apis.google.com. This can be customised to your needs as required.

You could use this in combination with an HTML sanitizer to strip any malicious tags for a belt and braces approach and for protection for browsers that do not support CSP.

Google have now implemented CSP in Gmail to ensure any HTML email received cannot try anything sneaky to launch an XSS attack.

Update: At last time of checking, the CSP in Gmail appears to be pretty weak, allowing script-src to have unsafe-inline and unsafe-eval:

content-security-policy: script-src https://clients4.google.com/insights/consumersurveys/ https://www.google.com/js/bg/ 'self' 'unsafe-inline' 'unsafe-eval' https://mail.google.com/_/scs/mail-static/ https://hangouts.google.com/ https://talkgadget.google.com/ https://*.talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/js/ https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https://ssl.google-analytics.com/ https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https://apis.google.com/_/scs/apps-static/_/js/ https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https://www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/;frame-src https://clients4.google.com/insights/consumersurveys/ https://calendar.google.com/accounts/ 'self' https://accounts.google.com/ https://apis.google.com/u/ https://apis.google.com/_/streamwidgets/ https://clients6.google.com/static/ https://content.googleapis.com/static/ https://mail-attachment.googleusercontent.com/ https://www.google.com/calendar/ https://calendar.google.com/calendar/ https://docs.google.com/ https://drive.google.com https://*.googleusercontent.com/docs/securesc/ https://feedback.googleusercontent.com/resources/ https://www.google.com/tools/feedback/ https://support.google.com/inapp/ https://*.googleusercontent.com/gadgets/ifr https://hangouts.google.com/ https://talkgadget.google.com/ https://*.talkgadget.google.com/ https://www-gm-opensocial.googleusercontent.com/gadgets/ https://plus.google.com/ https://wallet.google.com/gmail/ https://www.youtube.com/embed/ https://clients5.google.com/pagead/drt/dn/ https://clients5.google.com/ads/measurement/jn/ https://www.gstatic.com/mail/ww/ https://www.gstatic.com/mail/intl/ https://clients5.google.com/webstore/wall/ https://ci3.googleusercontent.com/ https://apis.google.com/additnow/ https://www.gstatic.com/mail/promo/ https://notifications.google.com/ https://mail-payments.google.com/mail/payments/;report-uri https://mail.google.com/mail/cspreport;object-src https://mail-attachment.googleusercontent.com/swfs/ https://mail-attachment.googleusercontent.com/attachment/