Affects: \
I have a requirement of protecting APIs from XSS injection. I think HtmlUtils.htmlEscape(String inputString) can possibly check if the input contains possible XSS injection. However, there are certain false positives, for example the above method would also consider single inverted comma as a HTML character, and hence since its an HTML/JS character it looks like a XSS injection.
So if this HtmlUtils would expose a method which would white-list few characters, then it can be use in such false positive cases.
Please find the problem statement here : https://stackoverflow.com/questions/75736868/is-there-a-way-to-avoid-check-on-few-characters-while-using-htmlutils-htmlescape
Comment From: simonbasle
This would go contrary of the stated goal of HtmlUtils:
Escapes and unescapes based on the W3C HTML 4.01 recommendation
I don't think this is a good idea overall, as it would provide an escape hatch (as described in the OWASP's XSS prevention cheatsheet). The Spring Framework should nudge its users towards more secured code rather than the contrary.
As a side note, looking at your SO question I think you're looking at things from a wrong perspective. It sounds like "HTML escaping is a good way to prevent XSS, but surely my users wouldn't abuse some tags and characters... so I won't escape these"). I'd be careful with that train of thought, giving a false sense of security against XSS vulns by implementing half of a prevention measure.
Comment From: Rutvikmodi
Hi @simonbasle, sorry was occupied. Totally understand your viewpoint and maybe yes it is probably a wrong school of thought. But I think HTML escaping is the closest thing which I found along with JSOUP which can avoid XSS injection.
However, consider the case if i'm using HTML escape for XSS validation and the user inputs this string
"Hi, this is Rutvik's comment"
This would throw an exception saying that it is a possible XSS vuln. So the thought process behind this was let the developer decide what not to include in the field and what to include ( Let the developer decide according to his/her use-case what could be the possible XSS vuln).
Perhaps, HTML escape isn't the correct tool to use for XSS prevention, can you please suggest the solution. Your thoughts would be appreciated.
Comment From: simonbasle
HTML escaping is a tool, but is not adapted for detection since, as you found out, it covers more cases than necessary. XSS prevention is a by-product of the fact that all the problematic characters are covered - and more-. It is adapted when you want to render the user-provided content on a webpage (for instance) without said user-provided content influencing the source.
The other technique covered in the OWASP cheat sheet, HTML sanitization, is useful when users need to author HTML content.
JSOUP can be used for that. It is a stated goal of JSOUP:
clean user-submitted content against a safelist, to prevent XSS attacks
So your usage of HtmlUtils is actually redundant with JSOUP, if you need your users to be able to produce actual HTML.
Comment From: Rutvikmodi
Hi @simonbasle, well yes even I agreed to the notion that JSOUP is the perfect library and usage of HtmlUtils is redundant, however there are certain cases where JSOUP fails and if i'm not wrong that's why it was removed from hibernate validations. And as a reason I thought that combining JSOUP along with HtmlUtils will give a good control to developer on XSS validation as HtmlUtils cover some extra cases too. Let me know what is your opinion. :)