How best to sanitize input in Java webapp

Question

We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to make sure the output is not changed for malicious activities. Is there way while sending the output I could check if extra code has been sent. Like suppose there is search input field -- the user gives something like <script>alert("I am here")</script>. Is there anway I could know this is a html tag. If the user appends an extra parameter to a link field, is there like a before and after check I could do for the document to realize there has been a extra link field.

Answer 1

Give jsoup a go to help you out with this. Whatever you do, don't try to hack this up using regex or something, because then you'll have 2 problems. :-)

With jsoup, all you need is a short snippet of code:

String safe = Jsoup.clean(unsafe, Whitelist.basic());

You can add tags and attributes to Whitelist fairly easily, though I found it doesn't support namespace tags.

Answer 2

You really should allow users to input as little HTML and/or javascript as possible. One good solution to validating and sanitizing this stuff is to use a ready-made library like OWASP AntiSamy.

Also, take a look at OWASP Enterprise Security API for a collection of security methods that a developer needs to build a secure web application.

Answer 3

You should always do basic HTML-escaping of data taken from sources like user input or the database that might contain invalid characters. The <c:out> JSP tag does this, for example. That way if the user enters "<script> ..." in a field and you are printing it back again, it will be printed to the HTML as "<script> ...".