Dear experts, et. al.,
We had a company doing a security audit for us and we realized that we are vulnerable to some subtle forms of XSS, such as:
" onfocus="alert(document.cookie)
searchterms=test%22%20onmouseover=%22alertt()%22%3E%3Ca=%22
searchterms=test"%3E%3Cimg src=x onerror="alert()" a="
We rely on the XSSFilter but that approach implies having a blacklist and blacklists get old very quickly. We know the suggested approach is to use a WAF like Akamai but we still feel that we need to offer security at all levels, having said that. Here is what we are doing:
First of all with still rely on the XSSFilter but we also do context aware HTML encoding for reflected input using:
org.springframework.web.util.HtmlUtils.htmlEscape()
This approach takes care of escaping double quotes, single quotes, and some other characters that might be problematic. The problem that we have now is, Solr. After making this change we cannot find products whose description has special characters, such as ü.
The question here is, is it possible to configure Solr in a way that it works with html-escaped text?
Kind regards,
L.
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.