Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Results 1 to 2 of 2

Thread: Fixing cross-site scripting (XSS) in search box

  1. #1
    Junior Member
    Join Date
    Aug 2014
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Fixing cross-site scripting (XSS) in search box

    I need your assistant in fixing an issue in the search textbox in one of the jsp's. I was informed that cross site scripting can be done in the textbox and I kept the below code in my jsp to fix the issue:

    searchTerm = request.getParameter("search");
     
       searchTerm = searchTerm.replaceAll("<", "<").replaceAll(">", ">");
     
       searchTerm = searchTerm.replaceAll("[^A-Za-z0-9 ]", "");
     
                   searchTerm = searchTerm.replaceAll("eval\\((.*)\\)", "");
     
                   searchTerm = searchTerm.replaceAll("[\\\"\\\'][\\s]*((?i)javascript):(.*)[\\\"\\\']", "\"\"");
     
                   searchTerm = searchTerm.replaceAll("((?i)script)", "");
     
                   searchTerm = searchTerm.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
     
                   searchTerm = searchTerm.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
     
                   searchTerm = searchTerm.replaceAll("'", "& #39;");
     
                   searchTerm = searchTerm.replaceAll("script", "");
     
       searchTerm = searchTerm.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
     
       searchTerm = searchTerm.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
     
       searchTerm = searchTerm.replaceAll("'", "& #39;");
     
       searchTerm = searchTerm.replaceAll("eval\\((.*)\\)", "");
     
       searchTerm = searchTerm.replaceAll("[\\\"\\\'][\\s]*javascript<b></b>:(.*)[\\\"\\\']", "\"\"");
     
       searchTerm = searchTerm.replaceAll("script", "");
    Now, after applying the above code, the cross site scripting can be done and the problem is that the search can't be done using the textbox and all the time will display none results.

    So, can you please assist me in writing the best code and thanks


  2. #2
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    5,424
    My Mood
    Hungover
    Thanks
    144
    Thanked 636 Times in 540 Posts

    Default Re: Fixing cross-site scripting (XSS) in search box

    This thread has been cross posted here:

    http://www.java-forums.org/new-java/91797-fixing-cross-site-scripting-xss-search-box.html

    Although cross posting is allowed, for everyone's benefit, please read:

    Java Programming Forums Cross Posting Rules

    The Problems With Cross Posting

    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

Similar Threads

  1. How can I search for specific content on a web site?
    By MrJava in forum What's Wrong With My Code?
    Replies: 1
    Last Post: January 29th, 2014, 11:31 AM
  2. Java Scripting Rule Issue
    By jwarren in forum Other Programming Languages
    Replies: 2
    Last Post: July 2nd, 2012, 02:59 PM
  3. Scripting Rules for User verification
    By jwarren in forum Java Theory & Questions
    Replies: 0
    Last Post: June 29th, 2012, 08:26 AM
  4. Need help fixing Binary Search Tree code
    By fistpunch in forum What's Wrong With My Code?
    Replies: 6
    Last Post: December 6th, 2010, 11:22 AM