XSS and HttpServletRequest.getQueryString

S

sameergn

Hi,

We are filtering XSS characters by using a J2EE filter and wrapping
request class. All the getParameter() methods are overridden to return
value after cleaning XSS characters.

Do you think it is required to clean output of getQueryString() also?
I wrote a simple JSP with following code

<html>
<head>
<!--META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS');"-->
</head>
<%
//
request.getRequestDispatcher(request.getParameter("qry")).forward(request,
response);
response.sendRedirect(request.getParameter("qry"));
%>
</html>

meta refresh tag causes XSS code to be executed, but forward() or
sendRedirect() which
directly get a query parameter "qry", does not end up being XSS
victim.
"qry" parameter value is set to "<script>alert('test')</script>"

Just wanted to check from the group if we can safely exclude output of
getQueryString()
from XSS filtering since all getParameter() are protected.

Thanks,
Sameer
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top