Question

XSSSanatize java replacing special html characters

0

Hi All, During Security Audit, team has found that my application is executing script written inside string fields. I searched online and used XSSSanatize java action available in CommunityCommons module. This action replaces html strings like " to " I tried with different policies and all are working same. But for end user who enters a proper text with " inside doesnt want it to be converted like this. So could any one tell me if there is any option to avoid cross scripting for string input fields?

asked 2018-07-02

sowmya r

2 answers

Rom van Arendonk · Answer 1 · 2018-07-02

From your description, it looks like XSSSanitize also escapes all HTML characters. According to Google, you can undo this by creating a Java action with a String input and String output and the following code:

return StringEscapeUtils.unescapeHtml4(input);

Be sure to add an import: import org.apache.commons.lang3.StringEscapeUtils;

Note1: I haven't actually tested this.

Note2: You should ensure that unescaping the HTML does not leave you vulnerable. XSSSanitize is controlled by policy files found in /projectfolder/resources/communitycommons/antisamy. You can manually edit these files to allow or disallow additional characters or elements.

Eric Tieniber · Answer 2 · 2018-07-03

Where is the string actually getting placed in your dom that it can be executed? It almost certainly is not a Mendix default widget, but rather some vulnerability in a custom widget.

For example, I've seen an XSS risk in the past on the DropDownDivConverter widget. It was using the value of an attribute directly as a label on a button. So, the fix was to escape that value before it was placed in the dom, like this:

https://github.com/tieniber/DropdownDivConverter/blob/master/src/DropdownDivConverter/widget/DropdownDivConverter.js#L280