How to Avoid Cross Site Scripting (XSS) Attacks Using JSF and RichEditor
I am using Rich Editor to input user text on all-JSF framework. I am trying to avoid XSS attacks on this textbox.
The requirement is that
- the user can enter any character in the text box,
- rich editor should display uncoded values ββor editor should not be displayed
<
for<
, - Cross-Site-Scripting (XSS) should be avoided.
So the problem is that since we have to display the values ββcorrectly, we put escape=false
in the output text, but then become vulnerable to XSS attacks.
I tried to use jsoup to filter HTML tags, but it seems that the input is auto-encoded and jsoup cannot be used.
So my questions are as follows.
- Is there a better way to avoid XSS attacks for rich editor with
escape=false
? - It looks like the text input is encoded when it reaches save so I couldn't filter with jsoup. How JSF works internally works in terms of encoding and decoding text values. At what point can the script be executed?
- If it happens to be encoded internally, only after receiving input do I need to worry about an XSS attack?
- Also, there is programmatic Parse and it is used to intercept the request. Is this a common hacking tool and how it can be used for a potential attack and how to avoid it in a real scenario. In particular, does it make any difference if a person intercepts the request, as this software does for a normal request?
source to share
You must implement a Content Security Policy on any pages where you display rich text.
This effectively stops the inline script from being executed by the browser. Currently supported by modern browsers like Chrome and Firefox.
This is done using the HTTP response header on your page.
eg.
Content-Security-Policy: script-src 'self' https://apis.google.com
will stop inline JavaScript execution if the user manages to inject it into your page (it will be ignored with a warning), but will allow script tags to link to your own server or https://apis.google.com
. It can be customized to suit your needs as needed.
You can use this in conjunction with HTML sanitizer to strip any malicious tags to approach the belt and curly braces and to protect browsers that don't support CSP.
Google has now implemented a CSP in Gmail to ensure that any HTML received cannot try to spoof anything for an XSS attack.
Update: The last time the CSP checks in Gmail looks pretty weak, allowing you to script-src
have unsafe-inline
both unsafe-eval
:
content-security-policy: script-src https://clients4.google.com/insights/consumersurveys/ https://www.google.com/js/bg/ 'self' 'unsafe-inline' 'unsafe-eval'https://mail.google.com/_/scs/mail-static/ https://hangouts.google.com/ https://talkgadget.google.com/ https: //*.talkgadget.google.com/ https://www.googleapis.com/appsmarket/v2/installedApps/ https://www-gm-opensocial.googleusercontent.com/gadgets/js/ https://docs.google.com/static/doclist/client/ js / https://www.google.com/tools/feedback/ https://s.ytimg.com/yts/jsbin/ https://www.youtube.com/iframe_api https: //ssl.google-analytics .com / https://apis.google.com/_/scs/abc-static/ https://apis.google.com/js/ https://clients1.google.com/complete/ https: // apis .google.com / _ / scs / apps-static / _ / js / https://ssl.gstatic.com/inputtools/js/ https://ssl.gstatic.com/cloudsearch/static/o/js/ https : //www.gstatic.com/feedback/js/ https://www.gstatic.com/common_sharing/static/client/js/ https://www.gstatic.com/og/_/js/;frame- src https://clients4.google.com / insights / consumersurveys / https://calendar.google.com/accounts/ 'self' https://accounts.google.com/ https://apis.google.com/u/ https://apis.google .com / _ / streamwidgets / https://clients6.google.com/static/ https://content.googleapis.com/static/ https://mail-attachment.googleusercontent.com/ https://www.google .com / calendar / https://calendar.google.com/calendar/ https://docs.google.com/ https://drive.google.com https: //*.googleusercontent.com/docs/securesc/ https://feedback.googleusercontent.com/resources/ https://www.google.com/tools/feedback/ https://support.google.com/inapp/ https: //*.googleusercontent.com/gadgets/ ifr https://hangouts.google.com/ https://talkgadget.google.com/ https: //*.talkgadget.google.com/ https://www-gm-opensocial.googleusercontent.com/gadgets/ https : //plus.google.com/ https://wallet.google.com/gmail/ https: // www.youtube.com/embed/ https://clients5.google.com/pagead/drt/dn/ https://clients5.google.com/ads/measurement/jn/ https://www.gstatic.com/mail/ ww / https://www.gstatic.com/mail/intl/ https://clients5.google.com/webstore/wall/ https://ci3.googleusercontent.com/ https://apis.google.com/ additnow / https://www.gstatic.com/mail/promo/ https://notifications.google.com/ https://mail-payments.google.com/mail/payments/;report-uri https: // mail.google.com/mail/cspreport;object-src https://mail-attachment.googleusercontent.com/swfs/ https://mail-attachment.googleusercontent.com/attachment/com / additnow / https://www.gstatic.com/mail/promo/ https://notifications.google.com/ https://mail-payments.google.com/mail/payments/;report-uri https: //mail.google.com/mail/cspreport;object-src https://mail-attachment.googleusercontent.com/swfs/ https://mail-attachment.googleusercontent.com/attachment/com / additnow / https://www.gstatic.com/mail/promo/ https://notifications.google.com/ https://mail-payments.google.com/mail/payments/;report-uri https: //mail.google.com/mail/cspreport;object-src https://mail-attachment.googleusercontent.com/swfs/ https://mail-attachment.googleusercontent.com/attachment/
source to share