posted 15-Jul-2011 | 2 comments | , , , , , , ,

Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.

Such a function can be as simple as:

private String cleanParameter(String value) {
   if (value != null) {
      value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
      value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");
      value = value.replaceAll("'", "&#39;");
      value = value.replaceAll("eval\\((.*)\\)", "");
      value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
   }
   return value;
}

This will escape/remove potentially dangerous Javascript code and HTML/XML tags.

You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.