Fixing Cross site scripting vulnerability in java using OWASP
I am working on fixing Cross site scripting issues in java.Since i am new to OWASP, could someone please help me to figure out how to use OWASP in below cases to sanitize inputs.
Enumeration<String> EnumHeader = request.getHeaderNames();Map<String, String[]> pMap = request.getParameterMap();Object value = request.getHeader(key);String[] refs = (req.getParameterValues(REFS_NAME));
Answer
While data validation can be very helpful in preventing XSS, it doesn't necessarily cover all the bases for persistent XSS. The only 100% effective protection is proper contextual output encoding as offered by the OWASP Java Encoder Project, or OWASP ESAPI's Encoder. One reason for this is for persistent XSS, the tainted data can come from a DB that might be entered or altered by another application that has insert / update access to those same DB tables but which is NOT doing proper data validation. (That is, the tainted data could enter into your system in some other manner than through your application.) So the only foolproof solution is to do proper contextual output encoding. The OWASP XSS Prevention Cheat Sheet that you have already been pointed to is a great place to start that explains all of that.