I have a lot of this type of old code in my Liferay app :
String code = request.getParameter("code");
It seems that in Liferay there is a “HtmlUtil.escape” function, so I assume I can use it like :
String code = HtmlUtil.escapeAttribute(request.getParameter("code"));
Is this the safest way to do it ?
I also have another simple java project :
public void buildParams(String[] items, HttpServletRequest request) throws Exception {
typeRequest = URLDecoder.decode(request.getParameter(ReportUtil.PARAMETER_REQUEST_TYPE));
countEx = URLDecoder.decode(request.getParameter(ReportUtil.PARAMETER_COUNT));
Map<String, String> parametres = ReportGenerator.decodeMap(request.getParameter("parameters"), String.class);
...
What is the classic way to block injection without the Liferay “HtmlUtil.escape” function here ?
1 Answer
Please, consider read the wonderful documentation created by OWASP about Cross Site Scripting prevention.
It provides great insights about the different related types of attacks involved in the term, and how you can prevent or mitigate everyone of them.
The documentation provides references to several related libraries like the OWASP Java Encoder project and OWASP Java Html Sanitizer.
If you require a full fledged prevention framework, you can use in your application the artifacts provided for ESAPI project, from OWASP as well.
From a total different point of view, in a very similar way to HtmlUtil.escape, you can use the different methods provided by the Apache commons-text library StringEscapeUtils class.
