Can OWASP sanitize JSP requests as well ?

636 views
Skip to first unread message

nehame...@gmail.com

unread,
Dec 14, 2017, 12:22:08 AM12/14/17
to OWASP Java HTML Sanitizer Support
Hi, 

We have a web application fully dependent on JSP forms. We need to mitigate XSS risks. Can we use OWASP for sanitiszing JSP pages as well ? 
If yes, are there any performance issues encountered ? 

Mike Samuel

unread,
Dec 14, 2017, 10:38:51 AM12/14/17
to OWASP Java HTML Sanitizer Support
Are you dealing with JSP pages that you do not trust, or do you trust the JSP pages' authors but want to make sure that XSS safety does not depend on them properly escaping/sanitizing EL values that are interpolated into the output?

If the former, no, the OWASP sanitizer will probably break JSP directives in the page, and even if it doesn't, will not prevent arbitrary Java code execution by the JSP.

If the latter, contextual autoescaping a la https://developers.google.com/closure/templates/docs/security has done a great job hardening against XSS in other contexts.

I put together
to show that JSP engines could provide hooks to enable contextual autoescaping, but haven't had bandwidth to shepherd that through the JCP.


--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jim Manico

unread,
Dec 14, 2017, 6:19:06 PM12/14/17
to owasp-java-html-...@googlegroups.com
There is an old OWASP project that already uses the OWASP Java Encoder to auto-escape in a JSP like way.


This can help migrate JSP to auto escaping JSP and might be a good start if you wish to revive this. The code is quite mature written by a serious expert, even though it has not been maintained...

--
Jim Manico
@Manicode
Secure Coding Education
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.

Jim Manico

unread,
Dec 14, 2017, 7:18:08 PM12/14/17
to owasp-java-html-...@googlegroups.com, Mike Samuel

One more note for nehame...@gmail.com

If you have existing JSP with XSS and need to fix that, you need to do two different kinds of security.

1) If the variable you add to JSP contains HTML I would use the OWASP HTML Sanitizer when you first get that input, and consider DOMPurify (a JS library) when you render that HTML in the client.

2) If the variable you add to JSP contains just a normal string (and NOT HTML) then you need to escape these variable. This is the Java Library I would use to do the escaping. https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and this is how to use it https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project

Aloha, Jim
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-saniti...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages