In a JAX-RS BookShop I want to filter customer recensions for xss content. For a JSF application I do this by applying a filter in web.xml which checks the value of the attached parameter for xss content. Since JAX-RS webservices are receiving serialized obejects instead of parameter values it would be much easier to validate the content within the recension bean itself. Hence, I am of the opinion that there is no reason to apply a xxs filter within a JAX-RS services. Am I right?
Asked
Active
Viewed 1,905 times
0
-
Why do you want to filter XSS on input instead of output? XSS content is totally harmless in Java servers (and SQL databases). It's only harmful in HTML clients. – BalusC Jul 08 '13 at 17:03
-
Related: http://stackoverflow.com/questions/2233015/what-is-the-general-concept-behind-xss/2233110#2233110 and http://stackoverflow.com/questions/7722159/csrf-xss-and-sql-injection-attack-prevention-in-jsf – BalusC Jul 08 '13 at 17:05
-
To filter responses is much more complicated than doing that for requests. That's why I prefere a request filter. I know that JSF has a build-in functionality to prevent xss attacks. But in future I can't ensure, that a JSF application is used as a jax-rs client software. Therefore, I follow the idea of xss attack-free data in data base. So, no further xss attack prevention is necessary. However, what I want to know is which approach for xss filtering is more convenient in a JAX-RS web service. Either with a `javax.servlet.Filter` or within the data entity itself. – My-Name-Is Jul 08 '13 at 22:34
1 Answers
0
For reasons of simplicity I decided to replace the xss request filter by the method: private String eliminateIllegalCharacters(final String text){...} which is called by setting values of an data entity like Recension#setComment(String comment).
I couldn't figure out any benefits for doing that with a javax.servlet.Filter.
My-Name-Is
- 4,814
- 10
- 44
- 84