Perform the following XSS checks for the customized JSP file to protect it from possible XSS attacks. For more information about XSS prevention techniques, see XSS (Cross Site Scripting) Prevention Cheat Sheet.
Perform the following steps:
Verify if the org.apache.commons.lang.StringEscapeUtils class is available in the JSP file.
For information about how to edit a file, see Modifying Configurations
in the NetIQ Access Manager CE 24.2 (v5.1) Administration Guide.
For example, the following import statement should be available in the import section of the JSP file:
<%@ page import="org.apache.commons.lang.StringEscapeUtils"%>
NOTE:The escapeHtml function supports all known HTML 4.0 entities but does not escape the character "'","'" as it is not a legal entity.
Refer to the example below:
Refer to the file: err_latest.jsp
Add the below import statement in the JSPs
<%@ page import="org.apache.commons.lang.StringEscapeUtils" %>
Example of using the StringEscapeUtils
strUIComponentsToHide = (String)
StringEscapeUtils.escapeHtml(request.getParameter(NIDPConstants.HTTP_REQUEST_PARAM_NAME_UICOMPONENTS_TOHIDE))
When the getAttribute and getPrameter methods are invoked on request, these strings should be passed to this String Escape Utility class by using escapeHtml method.
Handling HTML 4.0 entities while using StringEscapeUtils:
For Example "'" that the commonly used apostrophe escape character (') is not a legal entity and so is not supported.
strUIComponentsToHide = strUIComponentsToHide.replace("'","'")
See https://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/StringEscapeUtils.html and https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html.
Verify if all URL query parameter values are sanitized.
The following code snippet sample shows how URL query parameter values (uname and target) can be sanitized:
<%//Fetch the values from URL query parametersString target = (String) request.getAttribute("target");String uname = (String) request.getAttribute("username"); String sanitizedUName = ""; if (uname != null){//Sanitize the value assigned to uname sanitizedUName = StringEscapeUtils.escapeHtml(uname); } String sanitizedTarget = ""; if (target != null){ //Sanitize the value assigned to target query param sanitizedTarget = StringEscapeUtils.escapeHtml(target);}%>
Add double quotes (สบสบ) in value attribute (or any attribute that is dynamically assigned) for any HTML element that get assigned with above URL query param value.
<!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="text" class="smalltext" name="Ecom_User_ID" size="30" value="<%=sanitizedUName%>">......<!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="hidden" name="target" value="<%=sanitizedTarget%>">