12.7.1 Option 1: HTML Escaping

Perform the following XSS checks for the customized JSP file to protect it from possible XSS attacks. For more information about XSS prevention techniques, see XSS (Cross Site Scripting) Prevention Cheat Sheet.

Perform the following steps:

  1. Verify if the org.apache.commons.lang.StringEscapeUtils class is available in the JSP file.

    For example, the following import statement should be available in the import section of the JSP file:

    <%@ page import="org.apache.commons.lang.StringEscapeUtils"%>

  2. Verify if all URL query parameter values are sanitized.

    The following code snippet sample shows how URL query parameter values (uname and target) can be sanitized:

    <%//Fetch the values from URL query parametersString target = (String) request.getAttribute("target");String uname = (String) request.getAttribute("username"); String sanitizedUName = ""; if (uname != null){//Sanitize the value assigned to uname sanitizedUName = StringEscapeUtils.escapeHtml(uname); } String sanitizedTarget = ""; if (target != null){ //Sanitize the value assigned to target query param sanitizedTarget = StringEscapeUtils.escapeHtml(target);}%>

  3. Add double quotes (ʺʺ) in value attribute (or any attribute that is dynamically assigned) for any HTML element that get assigned with above URL query param value.

    <!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="text" class="smalltext" name="Ecom_User_ID" size="30" value="<%=sanitizedUName%>">......<!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="hidden" name="target" value="<%=sanitizedTarget%>">

  4. Restart the component whose JSP file you have modified. For example, if you modify Identity Server’s JSP file, restart Identity Server by running the following command:

    Linux: sh /etc/init.d/novell-idp restart

    Windows: net start Tomcat8