Friday, January 29, 2016

Fixing xss vulnerabilities in your jaggery based web applications

XSS attacks are quite a common security threat in web applications.  For example, suppose your web application contains a url like below.


An attacker can get his own script executed  from above url, if you have not checked and fixed your xss vulnerabilities. He could perform a malicious script like below.


If above url did not contain proper encoding , when accessing above url, the script will be executed against your application.

In a jaggery based application , in order to encode you could easily use owasp java encoder.

In your jag file, first import the encoder like below.

 var Encode =;

Next you could use the Encode methods where and when it is related. For example let us take the above url , and let us assume that this url is implemented to be at a button click like below.

 <button type="button" class="btn btn-default" onclick="addUser(<%=Encode.forJavaScript(id)%>)"><%=i18n.localize("submit", "Submit")%></button>

After encoding, this would escape the ending script tag like,  </ \ script> .  Depending on the content you need to encode , you would have to choose the relevant encoding method, such as forHtml, forUriComponent etc.. You could find all the related methods in [1].