I am using HDIV in my project for securing from OWASP list but text boxs are accepting <script>alert(1);</script>
as an input and saving to db.
I want to write test case for all OWASP issue.
Below are the project configuration
web.xml Configuration
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
WEB-INF/spring/applicationContext-db.xml
WEB-INF/spring/spring-security.xml
WEB-INF/spring/hdiv-config.xml
</param-value>
</context-param>
webmvc-config.xml Configuration
<import resource="applicationContext-hdiv.xml" />
applicationContext-hdiv.xml Configuration
<beans>
<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor" />
<bean id="editableValidator" class="org.hdiv.web.validator.EditableParameterValidator"/>
<mvc:annotation-driven validator="editableValidator" />
</beans>
hdiv-config.xml Configuration
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:hdiv="http://www.hdiv.org/schema/hdiv" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">
<hdiv:config excludedExtensions="css,js,ttf" errorPage="/manage/security-error" maxPagesPerSession="10" confidentiality="true" strategy="memory" randomName="true">
<hdiv:sessionExpired loginPage="/main/common" homePage="/"/>
<hdiv:startPages method="get">/,/.*,/manage/.*,/login</hdiv:startPages>
</hdiv:config>
<hdiv:validation id="customValidation" componentType="text">
<hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9@.\-_]*$]]></hdiv:acceptedPattern>
<hdiv:rejectedPattern><![CDATA[(\s|\S)*(--)(\s|\S)*]]></hdiv:rejectedPattern>
</hdiv:validation>
<hdiv:editableValidations registerDefaults="true">
<hdiv:validationRule url=".*" enableDefaults="false">customValidation</hdiv:validationRule>
</hdiv:editableValidations>
</beans>
Remove 'requestDataValueProcessor' and 'editableValidator' beans from 'applicationContext-hdiv.xml' file, they are automatically created by tag.
Have a look at this project configuration for a working example: https://github.com/hdiv/hdiv-spring-mvc-showcase