Skip to main content
Kinetic Community

Security

Briefly cover available resources for dealing with security issues inside the Bundle.

Cross Side Scripting

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. 

XSS - Escaping 

In order to deal with cross side scripting attacks from within the Bundle, it's important to escape data that can be modified by the client. It's good practice never to trust client side user input. The Bundle escape method is intending for dealing with this problem inside the JSP.

/**
  * Escapes html entities so they are rendered in the browser as text
  *
  * @param rawString - the raw string to escape
  * @return the raw string with all html characters replaced with entity values
  */
  public static String escape(Object rawString) {
      if (rawString == null || "".equals(rawString)) {
          return "";
      } else {
          return org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(rawString.toString());
      }
  }
    
  public static String escape(Object rawString, String defaultText) {
      String escaped = escape(rawString);
      if ("".equals(escaped)) {
          return defaultText;
      } else {
          return escaped;
      }
  }
  
  public static String escapeXML(Object rawString) {
      if (rawString == null || "".equals(rawString)) {
          return "";
      } else {
          return org.apache.commons.lang3.StringEscapeUtils.escapeXml(rawString.toString());
      }
  }
The escape method(s) allow the escape of dynamic data.  Below is an example of how this might be used.
<% 
String scriptAttack = "<script>alert('You have been hijacked')</script>";
%>
<%= escape(scriptAttack)%>

 

Tags recommended by the template: stage:draftarticle:topic-feature