XSS with dynamic HTML input

1
votes

My team is fixing vulnerability threats from an old jsp application. The problem is it allows (permissioned) users to create a simple home page by putting their html into a textarea and having it render on the page. The problem is xss issues. I have been doing some research and found withing the jsp pages I can use:

fn:escapeXML() from the jstl library to escape any html/xml that is inputted. This is fine for simple form inputs, but for the home page creator, I want to be able to keep simple html but get rid of any harmful scripts or xss vulnerabilities.

My teammate and I are fairly new to fixing xss issues and have been relying on resources we find..

I have come across these resources and am not sure if this will work the way I like after reading through them.

-Which html sanitization library to use?

-https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

If I use owasp, will this sanitize the html to basic rendering and prevent any scripting from being implemented?

Here is what I currently have in my jsp:

<td class='caption'>
  <c:set var="x"><%=system.getName()%></c:set>
  Options for ${fn:escapeXml(x)}
</td>

This works and will currently stop any html/xml/script from running but I still would like basic html (titles, paragraphs, fonts, colors, etc) for a simple informational page with html.

1
htmljspxssowasp

1 Answers

0
votes

According to OWASP

If your application handles markup -- untrusted input that is supposed to contain HTML -- it can be very difficult to validate. Encoding is also difficult, since it would break all the tags that are supposed to be in the input. Therefore, you need a library that can parse and clean HTML formatted text.

There is different HTML sanitizing libraries. The owasp-java-html-sanitizer library is probably a good choice.

You can use prepackaged policies:

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String safeHTML = policy.sanitize(untrustedHTML);

configure your own policy: 

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("a")
   .allowUrlProtocols("https")
   .allowAttributes("href").onElements("a")
   .requireRelNofollowOnLinks()
   .build();
String safeHTML = policy.sanitize(untrustedHTML);

or write custom policies:

PolicyFactory policy = new HtmlPolicyBuilder()
    .allowElements("p")
    .allowElements(
        new ElementPolicy() {
          public String apply(String elementName, List<String> attrs) {
            attrs.add("class");
            attrs.add("header-" + elementName);
            return "div";
          }
        }, "h1", "h2", "h3", "h4", "h5", "h6"))
    .build();
String safeHTML = policy.sanitize(untrustedHTML);

Read the documentation for full details.