XSS Cross site scripting doesn't allow xls file in spring boot application

Question

I am using XSS cross site scripting in my application. My application has an endpoint where I have to upload a xls file through postman. When I try to hit the endpoint, the XSS scripting doesn't let it pass and gives following error

2019-08-08 10:47:38|800 [DEBUG] com.vz.stamps.tools.XSSTools - Value to validate for XSS: [----------------------------503127257286871229160750Content-Disposition: form-data; name="file"; filename="New Microsoft Excel Worksheet.xls"Content-Type: application/vnd.ms-excelPK

This is my code for urlDecode:

    public static String urlDecode(String value) {
            try {
                value = value.replaceAll("%25", " ");
                value =URLDecoder.decode(value, StandardCharsets.UTF_8.name());
            } catch (UnsupportedEncodingException e) {
                logger.info("Unable to decode String with UTF8! Trying adifferent encoding", e);
                try {
                    value =URLDecoder.decode(value, StandardCharsets.ISO_8859_1.name());
                } catch (UnsupportedEncodingException e1) {
                    logger.info("Unable to decode String with ISO_8859_1! Trying adifferent encoding", e);
                    try {
                        value =URLDecoder.decode(value, StandardCharsets.US_ASCII.name());
                    } catch (UnsupportedEncodingException e2) {
                        logger.info("Unable to decode String with US_ASCII! Not trying to decode any further!!!", e);
                    }
                }

            } catch (Exception e) {
                logger.error("Error decoding String, returning null!!!", e);
                return value.replaceAll("%", "");
            }
            return value;
        }

Value I am getting from postman is:

----------------------------238658527993479868792963Content-Disposition: form-data; name="file"; filename="New Microsoft Excel Worksheet.xls"Content-Type: application/vnd.ms-excelPK

error :

URLDecoder: Illegal hex characters in escape (%) pattern - For input string: "¿"

XSS or cross site scripting commonly designate a class of security vulnerabilities, you should probably use another name for your tool. Unless your application is intended to do some kind of pentesting? — Ortomala Lokni, Aug 11 '19 at 08:04
What is XSSTools? The excel file is binary data, but it looks like you're trying to use text decoding on it. — fgb, Aug 11 '19 at 12:34
If you look at the above code, it doesn't let the request pass to controller. When the HttpServletRequest comes, the content of the xls file comes in as JSON body with weird characters like "¿" appended to the body due to which it is not able to pass through the above code. My question is, is there a way I can get xls file without these characters being appended to file data? PS : these weird characters get appended with xls file only and works fine with txt file. — Bhanu Mittal, Aug 12 '19 at 18:55

XSS Cross site scripting doesn't allow xls file in spring boot application

0 Answers0