Preventing XSS but allowing certain characters like apostrophe,!,"

[maninder]

My project is on J2EE(JSp/Servlets). It is IDM enabled. Recently they have updated their security policies to prevent XSS which is not allowing me to enter apostrophe in text box and submit.How t allow certain characters to be entered but at the same time it should prevent XSS.

[DarrylBurke]

Don't double post. The other thread you started in the New to Java section has been removed.

db

[f1gh]

My project is on J2EE(JSp/Servlets). It is IDM enabled. Recently they have updated their security policies to prevent XSS which is not allowing me to enter apostrophe in text box and submit.How t allow certain characters to be entered but at the same time it should prevent XSS.

There are multiple approaches to this:
1) Find the flows that are exceptional cases and treat them with a different regex expression, instead of a blanket approach.
2) Using a filter, instead of disallowing the input, convert it to its corresponding html code (e.g. < for less-then symbol) - this is what i have used in past and it works quite well
3) Most XSS happen due to ability to insert a tag with open and close tag. Checking for those and handling those will prevent majority of XSS attacks instead of having a blanket approach to filter apostrophe, or double quotes, or pound symbol, etc. as those can be validate user inputs.

HTH.

[Tolls]

Are you on a "raise old threads" mission?