Comments on: Simple Cross Site Scripting (XSS) Servlet Filter

By: 穿過雲層оО Rudy | java过滤跨站脚本(XSS)攻击的simple代码

穿過雲層оО Rudy | java过滤跨站脚本(XSS)攻击的simple代码 — Wed, 24 Feb 2010 06:16:17 +0000

[...] override the getParameter methods and clean any potential script injection. Here’s the Filter: view plaincopy to [...]

By: Anonymous

Anonymous — Mon, 08 Feb 2010 12:21:06 +0000

Is there any updated code available for cleanXSS method, considering the comments provided above?

By: Tapas Adhikary

Tapas Adhikary — Mon, 06 Apr 2009 09:48:43 +0000

Sorry , I meant ,
value = value.replaceAll(”(?i)script”, “”); instead of
value = value.replaceAll(”script”, “”); for a case insensitive replacement.

In my last comment…

By: Tapas Adhikary

Tapas Adhikary — Mon, 06 Apr 2009 09:47:25 +0000

Adding (?i) , in front of the replacing String would treat it as case insensitive way of replacement. So , in cleanXSS() method , you can use
value = value.replaceAll(“(?i)script”, “”); instead of
value = value.replaceAll(“(?i)script”, “”); for a case insensitive replacement.

Thanks,
-Tapas

By: webguy

webguy — Sat, 28 Mar 2009 12:43:59 +0000

I think the main idea here is the use of a Servlet Filter to override the getParameter methods of the HttpServletRequest with an HttpServletRequestWrapper, the cleanXSS method I’m sure is not perfect, but is welcome to improvement, you could use a more complex regex to make it case insensitive to fix the “SCript” condition

By: Masa

Masa — Sat, 28 Mar 2009 08:08:16 +0000

I am interested in XSS and XSRF for protecting our servers.
I’m glad to refer your XSS Filter.

If input characters is “SCRIPT” or “ScRipT”, what should we do about line 49?

By: Richard

Richard — Wed, 25 Mar 2009 16:18:20 +0000

Since line 45 replaces parathesis, line 47 will never be hit. Also, replacing all the JS events (onload, onclick, etc) is a good idea, as is making the match case insensitive.

By: MArtin

MArtin — Tue, 27 Jan 2009 08:16:18 +0000

Hi, to be shure there is no evil code in the Request the URLEncoder-Output has to be checked too: %3Cscript%3Ealert%281234%29%3C%2Fscript%3E

By: Chris

Chris — Wed, 10 Dec 2008 17:40:05 +0000

I’m getting this error on my jsps after I’ve implemented this filter. Any idea what causes this?

[12/10/08 12:38:43:289 EST] 0000003e ServletWrappe E SRVE0068E: Uncaught exception thrown in one of the service methods of the servlet: /welcome.jsp. Exception thrown : javax.servlet.ServletException: non-HTTP request or response

By: anom

anom — Wed, 26 Nov 2008 11:21:22 +0000

hi can you please4 explain the meaning of each line in method private String cleanXSS(String value).. i mean which line is used to prevent what.