S
sameergn
Hi,
We are filtering XSS characters by using a J2EE filter and wrapping
request class. All the getParameter() methods are overridden to return
value after cleaning XSS characters.
Do you think it is required to clean output of getQueryString() also?
I wrote a simple JSP with following code
<html>
<head>
<!--META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS');"-->
</head>
<%
//
request.getRequestDispatcher(request.getParameter("qry")).forward(request,
response);
response.sendRedirect(request.getParameter("qry"));
%>
</html>
meta refresh tag causes XSS code to be executed, but forward() or
sendRedirect() which
directly get a query parameter "qry", does not end up being XSS
victim.
"qry" parameter value is set to "<script>alert('test')</script>"
Just wanted to check from the group if we can safely exclude output of
getQueryString()
from XSS filtering since all getParameter() are protected.
Thanks,
Sameer
We are filtering XSS characters by using a J2EE filter and wrapping
request class. All the getParameter() methods are overridden to return
value after cleaning XSS characters.
Do you think it is required to clean output of getQueryString() also?
I wrote a simple JSP with following code
<html>
<head>
<!--META HTTP-EQUIV="refresh"
CONTENT="0;url=javascript:alert('XSS');"-->
</head>
<%
//
request.getRequestDispatcher(request.getParameter("qry")).forward(request,
response);
response.sendRedirect(request.getParameter("qry"));
%>
</html>
meta refresh tag causes XSS code to be executed, but forward() or
sendRedirect() which
directly get a query parameter "qry", does not end up being XSS
victim.
"qry" parameter value is set to "<script>alert('test')</script>"
Just wanted to check from the group if we can safely exclude output of
getQueryString()
from XSS filtering since all getParameter() are protected.
Thanks,
Sameer