Security Redux

As it turns out, security is actually harder than the internets originally led me to believe. Preventing SQL injection is as simple as making sure to use PreparedStatements (and not doing anything stupid like concatenating user supplied values with safe strings in the PreparedStatements), but preventing XSS is a whole 'nother kettle of fish. So I'm following the advice given on the linked site, and using their library to take care of escaping.

I was using Apache Commons StringEscapeUtils for this but it only has one type of escaping for HTML, when apparently multiple different types are needed depending on where in the HTML the user-generated content is going. The Apache documentation doesn't really specify what it's doing, so I don't feel comfortable using it for either encoding inside regular HTML elements or inside attributes.

I'm still using Java's own URLEncoder for encoding URL parameter values, as it seems to do the same thing as OWASP's URL escaping. For entire URLs I will follow the OWASP advice though.

Comments

Popular posts from this blog

"Does it get easier?" Yes, but Also No...

How to Land Your First Dev Job: Develop Yourself, Market Yourself

Git. The WHAT and WHY Edition.