Protecting web requests

Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.

Such a function can be as simple as:

private String cleanParameter(String value) {
   if (value != null) {
      value = value.replaceAll(&quot;&lt;&quot;, &quot;&amp;lt;&quot;).replaceAll(&quot;&gt;&quot;, &quot;&amp;gt;&quot;);
      value = value.replaceAll(&quot;\\(&quot;, &quot;&amp;#40;&quot;).replaceAll(&quot;\\)&quot;, &quot;&amp;#41;&quot;);
      value = value.replaceAll(&quot;&#039;&quot;, &quot;&amp;#39;&quot;);
      value = value.replaceAll(&quot;eval\\((.*)\\)&quot;, &quot;&quot;);
      value = value.replaceAll(&quot;[\\\&quot;\\\&#039;][\\s]*javascript:(.*)[\\\&quot;\\\&#039;]&quot;, &quot;\&quot;\&quot;&quot;);
   }
   return value;
}

This will escape/remove potentially dangerous Javascript code and HTML/XML tags.

You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.

Spartan Java

Simple yet powerful Java programming

Leave a Reply Cancel reply