This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "How to perform HTML entity encoding in Java"

From OWASP
Jump to: navigation, search
m (Why was this article deleted)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/olharder/agencias-auto.html auto complaint dealerships letter
 
] [http://s1.shard.jp/galeach/new170.html asian garden mall
 
] [http://s1.shard.jp/galeach/new83.html acatalasia
 
] [http://s1.shard.jp/galeach/new155.html imagine asian theatre] [http://s1.shard.jp/galeach/new151.html posisi rahasia
 
] [http://s1.shard.jp/frhorton/ru9zwzdr5.html african american church directory florida in orlando
 
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/bireba/notron-antivirus.html antivirus for worms
 
] [http://s1.shard.jp/olharder/auto-vaccom.html auto battery charger portable
 
] [http://s1.shard.jp/frhorton/5hrrb99yl.html the apartheid of south africa
 
] [http://s1.shard.jp/galeach/new53.html asian b school
 
] [http://s1.shard.jp/bireba/antivirus-2004.html antivirus software tests
 
] [http://s1.shard.jp/olharder/automoveis-bmw.html auto puls
 
] [http://s1.shard.jp/galeach/new159.html asiago cheese fresco
 
] [http://s1.shard.jp/galeach/new165.html asian womens hair style
 
] [http://s1.shard.jp/galeach/new49.html biz news asia] [http://s1.shard.jp/bireba/symantec-antivirus.html os x antivirus free
 
] [http://s1.shard.jp/bireba/innoculate-antivirus.html karspersky antivirus
 
] [http://s1.shard.jp/bireba/avg-antivirus.html norman antivirus download
 
] [http://s1.shard.jp/frhorton/eob9cf6xd.html african american cancer in liver
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/frhorton/u8q43h8tl.html pictures of starving children in africa
 
] [http://s1.shard.jp/frhorton/837ibyv6o.html botswana african safari
 
] [http://s1.shard.jp/losaul/consolidated-travel.html australian hotels association new south wales
 
] [http://s1.shard.jp/bireba/antivirus-firewall.html antivirus firewall software] [http://s1.shard.jp/olharder/auto-ventashade.html auto ventashade lawrenceville ga] [http://s1.shard.jp/losaul/alzeihmers-australia.html australian lottery 645
 
] [http://s1.shard.jp/losaul/informed-sources.html robert walters australia
 
] [http://s1.shard.jp/losaul/simple-plan.html boatbuilders australia
 
] [http://s1.shard.jp/galeach/new23.html innocent asians] [http://s1.shard.jp/olharder/automobile-dealer.html oldsmobile automobile
 
] [http://s1.shard.jp/frhorton/1aql7wt5f.html zambian embassy in south africa
 
] [http://s1.shard.jp/galeach/new82.html royal australasian college of physicians
 
] [http://s1.shard.jp/bireba/quickheal-antivirus.html mdaemon antivirus
 
] [http://s1.shard.jp/bireba/antivirus-software.html antivirus software test] [http://s1.shard.jp/olharder/auto-bank-repossessed.html auto budget hire reading
 
] [http://s1.shard.jp/galeach/new55.html sexy asian feet and legs
 
] [http://s1.shard.jp/losaul/australia-telescope.html australian shepherds oregon
 
] [http://s1.shard.jp/bireba/extendia-antivirus.html how to remove symantec antivirus
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/bireba/antivirus-software.html what is antivirus server
 
] [http://s1.shard.jp/frhorton/9ilzodadz.html african flower queen
 
] [http://s1.shard.jp/losaul/beds-online-australia.html australia biggest looser chanel ten
 
] [http://s1.shard.jp/olharder/auto-repair-service.html auto johns minnesota part
 
] [http://s1.shard.jp/losaul/lucas-heights-australia.html happy australia day e cards
 
] [http://s1.shard.jp/losaul/email-directory.html bead wholesale australia
 
] [http://s1.shard.jp/olharder/autofill-slush.html auto accessory catalogs
 
] [http://s1.shard.jp/bireba/avg-antivirus-software.html antivirus gratuits
 
 
http://www.texttacaouca.com
 
 
==Status==
 
==Status==
Released 14/1/2008
+
Deleted 9/16/2010
  
==Overview==
+
==Why was this article deleted==
  
Injection attacks rely on the fact that interpreters take data and execute it as commands. If an attacker can modify the data that's sent to an interpreter, they may be able to make it misbehave. One way to help prevent this from happening is to encode the attacker's data in such a way that the interpreter will not get confused. [http://www.w3.org/TR/html401/sgml/entities.html HTML entity encoding] is just such an encoding mechanism for many interpreters.
+
HTML Entity Encoding is not enough to stop XSS in web applications. Please see [[XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet]] for more information.
 
 
This is not a guarantee by the way. It's almost certain that someone, probably from the XML/Web Services world, will create an engine that performs HTML entity decoding automatically, thus reintroducing the injection threat.  However, for the time being, HTML entity encoding seems to work pretty well to prevent many types of injection.
 
 
 
 
 
 
 
==Approach==
 
 
 
We're going to implement a simple little method that encodes special characters. The nice .NET folks over at Microsoft had the foresight to build this into their platform, but the Java community seems to resist adding validation to the Java EE environment despite all the security issues that it could solve.  View layers such as Java Server Faces, Spring-MVC, WebWork and others automatically perform HTML encoding through custom tags that is often incomplete.
 
 
 
For example, Spring provides both HTML and JavaScript encoding functionality (spring:message htmlEscape and htmlEscape) that can be set at the form element level. [http://static.springframework.org/spring/docs/1.1.5/taglib/tag/MessageTag.html]
 
HTML escape functionality in Spring can also be set at the page or servlet container. [http://static.springframework.org/spring/docs/1.1.5/taglib/tag/HtmlEscapeTag.html] Note that's Spring's default entity encoder only encodes the "big 5" and does not handle double-encoding. This code that handles this functionality was last updated in 2003.[http://springframework.cvs.sourceforge.net/springframework/i21/src/com/interface21/web/util/HtmlUtils.java?revision=1.2&view=markup]
 
 
 
  21          {"#39", new Integer(39)}, // ' - apostrophe
 
  22          {"quot", new Integer(34)}, // " - double-quote
 
  23          {"amp", new Integer(38)}, // & - ampersand
 
  24          {"lt", new Integer(60)}, // < - less-than
 
  25          {"gt", new Integer(62)}, // > - greater-than
 
 
 
Encoding the "big 5" serves exactly the purpose it was designed for: prevents injecting HTML markup with ilegal characters inside tags and attribute values. However it does not prevent more elaborate injections, does not help with "out of range characters = question marks" when outputting Strings to Writers with single byte encodings, nor prevents character reinterpretation when user switches browser encoding over displayed page.--[[User:A.in.the.k|A.in.the.k]] 07:18, 18 March 2009 (UTC)
 
 
 
The best place for a more complete method of HTML entity encoding is in some kind of ValidationEngine, but since it's a good candidate for being static, it doesn't matter what class it ends up in that much.
 
 
 
Note that this implementation doesn't produce the special characters like & lt; or & gt; - but it's not difficult to implement with a simple lookup table.
 
 
 
    /* return StringBuilder and/or make Writer param and write to stream directly*/
 
    public static String htmlEntityEncode( String s )
 
    {
 
        StringBuilder buf = new StringBuilder(s.length());
 
        for ( int i = 0; i < len; i++ )
 
        {
 
            char c = s.charAt( i );
 
            if ( c>='a' && c<='z' || c>='A' && c<='Z' || c>='0' && c<='9' )
 
            {
 
                buf.append( c );
 
            }
 
            else
 
            {
 
                buf.append("&#").append((int)c).append(";");
 
            }
 
        }
 
        return buf.toString();
 
    }
 
 
 
--[[User:A.in.the.k|A.in.the.k]] 07:25, 19 March 2009 (UTC)
 
When testing this simple approach on several browsers and comparing with non-escaped version
 
we can observe several problems, specially on ISOControlCharacter ranges (0000-001F and 0080-009F).
 
 
 
MSIE 6.0 does display &#0;  in escaped form.
 
All other browsers (tested on Win platform) display escaped range 0080-009F  as incorrect displayable characters,
 
mapped to local OS charset (windows-1250 in the test case).  
 
 
 
This leads to confusion, and self question: "how and why control characters should be outputted in html."
 
I recommend removing all nonWhitespace ISOControlCharacters from the outputted stream.
 
 
 
  public static StringBuilder escapeHtmlFull(String s)
 
  {
 
      StringBuilder b = new StringBuilder(s.length());
 
      for (int i = 0; i < s.length(); i++)
 
      {
 
        char ch = s.charAt(i);
 
        if (ch >= 'a' && ch <= 'z' || ch >= 'A' && ch <= 'Z' || ch >= '0' && ch <= '9')
 
        {
 
          // safe
 
          b.append(ch);
 
        }
 
        else if (Character.isWhitespace(ch))
 
        {
 
          // paranoid version: whitespaces are unsafe - escape
 
          // conversion of (int)ch is naive
 
          b.append("&#").append((int) ch).append(";");
 
        }
 
        else if (Character.isISOControl(ch))
 
        {
 
          // paranoid version:isISOControl which are not isWhitespace removed !
 
          // do nothing do not include in output !
 
        }
 
        else
 
        {
 
          // paranoid version
 
          // the rest is unsafe, including <127 control chars
 
          b.append("&#" + (int) ch + ";");
 
        }
 
      }
 
      return b;
 
  }
 
 
 
Another issue brought with 1.5 is support of Unicode supplementary characters. In short this means that unicode characters are not chars but ints.
 
The code needs to be fixed again:
 
 
 
  public static StringBuilder escapeHtmlFull(String s)
 
  {
 
      StringBuilder b = new StringBuilder(s.length());
 
      for (int i = 0; i < s.length(); i++)
 
      {
 
        char ch = s.charAt(i);
 
        if (ch >= 'a' && ch <= 'z' || ch >= 'A' && ch <= 'Z' || ch >= '0' && ch <= '9')
 
        {
 
          // safe
 
          b.append(ch);
 
        }
 
        else if (Character.isWhitespace(ch))
 
        {
 
          // paranoid version: whitespaces are unsafe - escape
 
          // conversion of (int)ch is naive
 
          b.append("&#").append((int) ch).append(";");
 
        }
 
        else if (Character.isISOControl(ch))
 
        {
 
          // paranoid version:isISOControl which are not isWhitespace removed !
 
          // do nothing do not include in output !
 
        }
 
        else if (Character.isHighSurrogate(ch))
 
        {
 
          int codePoint;
 
          if (i + 1 < s.length() && Character.isSurrogatePair(ch, s.charAt(i + 1))
 
            && Character.isDefined(codePoint = (Character.toCodePoint(ch, s.charAt(i + 1)))))
 
          {
 
            b.append("&#").append(codePoint).append(";");
 
          }
 
          else
 
          {
 
            log("bug:isHighSurrogate");
 
          }
 
          i++; //in both ways move forward
 
        }
 
        else if(Character.isLowSurrogate(ch))
 
        {
 
          // wrong char[] sequence, //TODO: LOG !!!
 
          log("bug:isLowSurrogate");
 
          i++; // move forward,do nothing do not include in output !
 
        }
 
        else
 
        {
 
          if (Character.isDefined(ch))
 
          {
 
            // paranoid version
 
            // the rest is unsafe, including <127 control chars
 
            b.append("&#").append((int) ch).append(";");
 
          }
 
          //do nothing do not include undefined in output!
 
        }
 
    }
 
    return b;
 
  }
 
 
 
Now after all, if-elses and other constructs in this method should be optimized.
 
In this article it is left "as is" to be readable.
 
 
 
==Libraries==
 
* The Jakara Commons Lang package has a generic class for performing a wide range of [http://commons.apache.org/lang/api-release/org/apache/commons/lang/StringEscapeUtils.html String escaping functions].
 
* jTidy includes an [http://jtidy.sourceforge.net/multiproject/jtidyservlet/apidocs/org/w3c/tidy/servlet/util/HTMLEncode.html HTMLEncode class] for performing HTML encoding.
 
 
 
[[Category:How To]]
 
[[Category:OWASP Java Project]]
 
[[Category:OWASP Validation Project]]
 

Latest revision as of 05:38, 17 September 2010

Status

Deleted 9/16/2010

Why was this article deleted

HTML Entity Encoding is not enough to stop XSS in web applications. Please see XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for more information.