How To Prevent Xss For The Form Action Url?

We use Shibboleth's SingleSingOut(SSO) to do the authentication.Shibboleth is an open-source project which has been integrated into our project. Shibboleth will do the redirect to

Solution 1:

ESAPI.encoder().encodeForURL() is not correct because this does percent encoding of the whole string which can corrupt the url. It's meant more for encoding individual parameters within a url.

In this context, within an attribute, ESAPI.encoder().encodeForHTMLAttribute() should be used.

There is an extra problem here though. If the url is not trusted, then the user could be sending their log in details to an untrusted site. You should check exactly where the url comes from and make sure the user can't control its contents.

If the url is always of a similar format, then you can check against this in the controller.

Solution 2:

Your logic is fundamentally flawed if you are using user input for the form action.

What is the bigger picture of your code? We can help you design it better so that you are not using user input as a form action to start with

Solution 3:

you should use tools like "modsecurity" which uses "regular expression" and has some rules to prevent xss attacks. Take a look at :

http://www.opensourceforu.com/2011/08/securing-apache-part-10-mod_security/http://blog.spiderlabs.com/2013/09/modsecurity-xss-evasion-challenge-results.html

I hope they make sense ...