ESAPI for XSS prevention not working

Question

I am working on fixing Cross site scripting issues in our code mainly in JSPS.

Below is the original code

 //scriplet code
    <% String userId =          


        

Answer 1

Thanks for help guys. Finally figured out a solution to prevent XSS issue and pass Fortify static code analysis. I have used ESAPI together with Anitsamy library. Here are the 3 main changes required.

1. Implement Anitsamy Filter

   Add a new filter and override request methods getParameter , getParameterValues to strip out any suspicious tags in the request. Filter loads a policy file where we define our rules like

   a. tags which needs to be removed from the requests ( tags like , etc)

   b. Regexs for common attributes like href, align etc.

Example for implementation of filter is here http://barrypitman.com/2011/04/14/using-input-validation-XSS/

2. Perform input validation using ESAPI library

    String reportName = request.getParameter("reportName");
    ESAPI.validator().getValidInput("Report Name", 
                                     reportName, "ReportNamePattern", 100, false);
   

   In above code,

   1. "Report Name" is the context
   2. reportName is the data field
   3. ReportNamePattern is the regex pattern defined in ESAPI.properties as Validator.ReportNamePattern =^[a-zA-Z]{1}[0-9]{6}$
   4. 100 is max length for data field reportName
   5. false is a flag to say null value is not allowed.

3. Perform output encoding
   As pointed by @avgvstvs, output encoding is also a must.

   If reportName field is to be used in HTML, below is how to encode

     Report :     <%=ESAPI.encoder().encodeForHTML(reportName)%>  
   

   If reportName field is to be used in javascript code , below is how to encode

    var reportName = "<%= ESAPI.encoder().encodeForJavaScript(reportName)%>";
   

   If reportName field is to be used in HTML Attribute, below is how to encode