I am working on securing the input request params to my application from XSS attacks. I came across the owasp cheat sheet for securing against XSS attack. I am following the instructions on https://github.com/owasp/java-html-sanitizer.
I have managed to block the XSS attack (done by means of supplying events like onMouseOver appended to input param) by using below code :
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS);
value = policy.sanitize(value); // Value is the "value" of input param
This converts something like name=FIRST" onmouseover="alert('222') supplied in querystring : X=Val1&Y=&Z=&A=false&name=FIRST" onmouseover="alert('222')&B=456&C=123 to
<span class="db-wrap-name" title="FIRST"" onload="alert('222s2')="">FIRST" onload="alert('2222')</span>
My question is this Sanitization sufficient to protect the input param from XSS?
PS: Can someone point me to a linear source to go through the OWASP HTML Sanitization. I have managed to get understanding on this but there are gaps. It will be great if I can get a linear source.
Thanks
