CSRF & XSS not working using HDIV

Question

I am using HDIV in my project for securing from OWASP list but text boxs are accepting <script>alert(1);</script> as an input and saving to db.

I want to write test case for all OWASP issue.

Below are the project configuration

web.xml Configuration

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>               
        WEB-INF/spring/applicationContext-db.xml
        WEB-INF/spring/spring-security.xml
        WEB-INF/spring/hdiv-config.xml
    </param-value>
</context-param>

webmvc-config.xml Configuration

<import resource="applicationContext-hdiv.xml" />

applicationContext-hdiv.xml Configuration

<beans>
    <bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor" />


<bean id="editableValidator" class="org.hdiv.web.validator.EditableParameterValidator"/>
    <mvc:annotation-driven validator="editableValidator" />
</beans>

hdiv-config.xml Configuration

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:hdiv="http://www.hdiv.org/schema/hdiv" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
               http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">

            <hdiv:config excludedExtensions="css,js,ttf" errorPage="/manage/security-error" maxPagesPerSession="10" confidentiality="true" strategy="memory" randomName="true"> 
                <hdiv:sessionExpired loginPage="/main/common" homePage="/"/>
                <hdiv:startPages method="get">/,/.*,/manage/.*,/login</hdiv:startPages>
            </hdiv:config>

            <hdiv:validation id="customValidation" componentType="text">
                <hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9@.\-_]*$]]></hdiv:acceptedPattern>
                <hdiv:rejectedPattern><![CDATA[(\s|\S)*(--)(\s|\S)*]]></hdiv:rejectedPattern>
            </hdiv:validation>

            <hdiv:editableValidations registerDefaults="true">
                <hdiv:validationRule url=".*" enableDefaults="false">customValidation</hdiv:validationRule>
            </hdiv:editableValidations>         
        </beans> 

Answer 1

Remove 'requestDataValueProcessor' and 'editableValidator' beans from 'applicationContext-hdiv.xml' file, they are automatically created by tag.

Have a look at this project configuration for a working example: https://github.com/hdiv/hdiv-spring-mvc-showcase

Answer 2

XSS is an output problem, not an input problem. Input validation is about making sure data is correct according to the domain. So for instance you want to check that a field expecting to take a year actually receives a number within the expected range. You may also want to make sure that only allowed characters are in use. And in many cases this will stop many attacks.

However for complex inputs, this is no longer viable. Consider a text field where you want to allow users to comment. The user should be allowed to to write a comment such as "An hence x < 4". Now we are allowing characters used to build html tags.

Now we have two options:

1. Use a tool to strip out dangerous HTML - likely to fail at some point
2. Use context aware escaping as described in the OWASP XSS prevention cheat sheet