How to deal with XSS on NVelocity

The Castle project is full of features, includes some amazing sub-projects, and it was a pleasure to develop with it.

My team is almost ready to provide custom EAM and we are polishing our system. We tried some basic XSS attacks and assumed they all worked.

Even though it will run on an Intranet environment, we don't want users to accidentally destroy the entire system, and we are exploring solutions to resolve XSS issues.

NVelocity hides nothing by default, so this code:



with a field containing things like:



will give us a nice warning xss.

The Microsoft AntiXSS library looks good: it handles several types of possible XSS vectors, etc. We ran into the AndyPike helper, but this solution will force us to reorganize several thousand lines. Yes, not good. And this won't handle automatic ActiveRecord / NVelocity binding when editing existing objects.

The question arises: using output encoding methods, is it possible / recommended to fix the Castle Project NVelocity engine? Like Brail? Does anyone have a better idea?


PS: Will Stackoverflowers using the Castle Project use such a patch?


source to share

2 answers

NVelocity does not exit anything by default

Oh my God. Then you have a lot of code fixes.

Failure to avoid typing text in HTML is not an error that you can correct after this fact. Yes, there are libraries that filter out obvious bad input, but they only hide the problem, and not very well. Given the wide range of odd constructs that browsers will accept, there will always be ways to get through them through bad HTML, and at the same time they will give you false positives - for example, this post will be blocked from discussing the tag <script>


They are, at best, a temporary adhesion cast until you can fix the real problem.



NVelocity can output output automatically without having to change your templates, and you don't need to change NVelocity code.

See Auto Output NVelocity for HTML Encoding (EventCartridge and ReferenceInsert)



All Articles