Cross-Site Scripting (XSS) remains one of the most prevalent web application vulnerabilities. This guide covers comprehensive strategies for preventing XSS attacks in your applications.
Key areas covered:
// Java Input Validation Example
public class InputValidator {
private static final Pattern SAFE_STRING =
Pattern.compile("^[a-zA-Z0-9\\s-_]{1,50}$");
public boolean validateInput(String input) {
if (input == null) {
return false;
}
return SAFE_STRING.matcher(input).matches();
}
// HTML Special Characters
public String escapeHtml(String input) {
if (input == null) {
return "";
}
return input
.replace("&", "&")
.replace("<", "<")
.replace(">", ">")
.replace("\"", """)
.replace("'", "'");
}
// URL Parameter Validation
public String validateUrlParameter(String param) {
if (param == null) {
return "";
}
return URLEncoder.encode(param,
StandardCharsets.UTF_8);
}
}
// JavaScript Input Validation
function validateInput(input) {
const safePattern = /^[a-zA-Z0-9\s-_]{1,50}$/;
return input && safePattern.test(input);
}
function escapeHtml(unsafe) {
return unsafe
.replace(/&/g, "&")
.replace(//g, ">")
.replace(/"/g, """)
.replace(/'/g, "'");
}// React XSS Prevention function SafeComponent({ userInput }) { // React automatically escapes content return{userInput}; // Dangerous - Don't do this // return; } // Angular XSS Prevention @Component({ template: `{{userInput}}` }) class SafeComponent { userInput: string; } // Vue XSS Prevention{{ userInput }}
// HTML Context String htmlEncode(String input) { return ESAPI.encoder().encodeForHTML(input); } // JavaScript Context String jsEncode(String input) { return ESAPI.encoder().encodeForJavaScript(input); } // URL Context String urlEncode(String input) { return ESAPI.encoder().encodeForURL(input); } // CSS Context String cssEncode(String input) { return ESAPI.encoder().encodeForCSS(input); } // XML Context String xmlEncode(String input) { return ESAPI.encoder().encodeForXML(input); } // Example Usage public class SafeOutput { public String generateSafeHtml(String userInput) { // HTML Context String safeHtml = htmlEncode(userInput); // JavaScript Context String safeJs = ""; // URL Context String safeUrl = ""; // CSS Context String safeCss = ""; return safeHtml; } }
// Thymeleaf Example
// Freemarker Example
${userInput}
// JSP Example
// Java Security Headers
@WebFilter("/*")
public class SecurityHeadersFilter implements Filter {
@Override
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
HttpServletResponse httpResponse =
(HttpServletResponse) response;
// Content Security Policy
httpResponse.setHeader("Content-Security-Policy",
"default-src 'self'; " +
"script-src 'self' 'unsafe-inline' " +
"'unsafe-eval' https://trusted.com; " +
"style-src 'self' 'unsafe-inline' " +
"https://trusted.com; " +
"img-src 'self' https://trusted.com; " +
"connect-src 'self' https://api.trusted.com; " +
"frame-ancestors 'none'; " +
"form-action 'self';");
// XSS Protection Header
httpResponse.setHeader("X-XSS-Protection",
"1; mode=block");
// Content Type Options
httpResponse.setHeader("X-Content-Type-Options",
"nosniff");
// Frame Options
httpResponse.setHeader("X-Frame-Options",
"DENY");
chain.doFilter(request, response);
}
}@EnableWebSecurity
public class SecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(
HttpSecurity http) throws Exception {
http
// XSS Protection
.headers()
.xssProtection()
.and()
.contentSecurityPolicy(
"default-src 'self'; " +
"script-src 'self' 'unsafe-inline' " +
"'unsafe-eval' https://trusted.com; " +
"style-src 'self' 'unsafe-inline' " +
"https://trusted.com;")
.and()
// Frame Options
.frameOptions()
.deny()
.and()
// Content Type Options
.contentTypeOptions()
.and()
// HSTS
.httpStrictTransportSecurity()
.includeSubDomains(true)
.preload(true)
.maxAgeInSeconds(31536000);
}
}Cross-Site Scripting prevention requires a multi-layered approach combining input validation, output encoding, and security headers. By following the techniques and best practices outlined in this guide, you can significantly reduce the risk of XSS vulnerabilities in your applications.
Remember to stay updated with the latest XSS attack vectors and defense mechanisms as the threat landscape evolves.