So your security testing team has advised you to protect your app against the notorious Cross-site scripting (XSS) attack. We are all aware of its ramifications, if an attack was to really materialize. Specially if your app works with any sensitive data and not some mundane blog like this one. The problem is that by nature our apps deal with lots of user content. So how do you plan your defense?
For Spring/Angular apps, the communication language for server and client is mostly JSON. So today we shall take a look at how to manage our JSON conversions to mitigate the XSS risk.
When you start reading up on XSS and prevention tactics, you realize what a wonderful job Open Web Application Security Project (OWASP) has been doing for years.
Spring uses Jackson for JSON-Java Object and vice-versa conversion. So this is where we step in and write our custom Jackson converter that encodes all Strings in our Java Objects with OWASP’s ESAPI library.
Place the following in your maven POM.xml to include ESAPI in your build
<!– https://mvnrepository.com/artifact/org.owasp.esapi/esapi –>