0

I found the code for XSS.

private String cleanXSS(String value) {  

    value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");  
    value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");  
    value = value.replaceAll("'", "& #39;");            
    value = value.replaceAll("eval\\((.*)\\)", "");  
    value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");  
    value = value.replaceAll("script", "");  
    return value;  
}

Is it correct & lt & gt & #40 & #41 & #39 ?

I think &lt &gt ... is correct without space between & and lt.

John Ferguson
  • 786
  • 1
  • 7
  • 21
devSimba
  • 11
  • 1
  • 1
    In general, it's not very secure to sanitize for XSS yourself. I recommend finding a library that does this. – Heng Ye Jun 04 '21 at 12:17

1 Answers1

1

Replacements with &lt;, &gt; and &#39; are part of HTML encoding and have their use when outputting in an HTML context. It's missing &quot; and &amp; though. This is Rule #1 on OWASP XSS Prevention.

The rest with script and eval doesn't make much sense. It can corrupt valid user input. The eval() replacement will never match because it's already replaced parenthesis. It checks for script but not SCRIPT. scscriptript is converted into script. And there are other ways of executing JS that it doesn't look for.

Trying to look for specific strings doesn't really work. It's better to focus on applying the correct encoding at the time of output, and being careful about where you output values, following the OWASP guides.

fgb
  • 18,439
  • 2
  • 38
  • 52