The Cross Site Scripting Cheat Sheet has many rules for securing against XSS attacks. I would like to implement those suggestions in my web app which is using Spring MVC + Jackson + JPA + Hibernate Bean Validation. As an example consider the following code that is similar to what I have in my app.
public class MessageJson {
@NotEmpty // Bean Validation annotation
private String title;
@NotEmpty
private String body;
// ... etc getters / setters
}
public class BolgPostController
{
@RequestMapping(value="messages",method=RequestMethod.POST)
public void createMessage(@Valid @RequestBody MessageJson message)
{
// **Question** How do I check that the message title and body don't contain
// nasty javascripts and other junk that should not be there?
// Call services to write data to the datababse
}
@RequestMapping(value="messages",method=RequestMethod.get)
public @ResponseBody List<MessageJson> createMessage()
{
// get data from the database
// **Question** How do I escape all the data in the list of MessageJson before
I send it back to the data.
}
}
I can see the following ways to implement the cheat sheet rules:
- Option A Implement them manually in each controller method.
- Option B Configure some extension to Spring MVC that can do it for me automatically
- Option C Configure Jackson so that it can do it for me since most of my input/output goes through Jackson
I am looking for some example configurations of SpringMVC in any of those three options, with a preference for option B and C.
That would be easiest to do in setters for properties (like
setTitle()fortitleproperty), when reading JSON.Or if you are thinking of escaping additional characters (to, say, prevent embedding of HTML markup), have a look at this blog entry: escaping HTML characters in JSON with Jackson.