Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.
Such a function can be as simple as:
private String cleanParameter(String value) {
if (value != null) {
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replaceAll("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
}
return value;
}
This will escape/remove potentially dangerous Javascript code and HTML/XML tags.
You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.