XSS patch for tomcat, jetty and glassfish

In case you didn't know, any application with a JSP page that uses ${foobar} with user-introduced data is inherently insecure. The 10-seconds Intro To The Joy Of XSS goes a little like this:

  • Go to some data input form.
  • Enter <script>window.location.href='http://badguys.com'</script> into any field
  • Wait until my entry shows up in somebody else's authenticated browser, typically as part of some listing.

This technique can be used for practically anything, from deleting your data to inserting a hidden iframe that points to the Black Hat version of the Yellow Brick Road. This will happen in all java-based app servers, since the standard says not to escape XML contents inside EL expressions (that ${...} thingy).

After the loom 1.0-rc1 release there were lots of people testing our demo application - well, on July 1st we had the same amount of traffic of the entire month of June. The server stats showed many smart attempts at XSS security: special characters, scripts, images and iframes were the general note.

Loom itself escape XSS attacks using an optimized version of the Google doctype recommendation. But two of our favorite servers (tomcat and jetty) were not doing it: these tags got printed wherever a "${customer.name}" was used, so we decided to do something about it. And here is were Rafa Serrano (werkins) took the lead.

Rafa is the smart, not-yet-thirty-year-old guy that works at our Madrid office (three meters to my right, to be exact), that for some reason I have yet to understand has got two university degrees and is working on the third - I can only suppose the TV has been broken at his house for, like, years. Since I had a great summer totally stuck with my tasks, he decided to take this one out of my stack and implement it himself.

The results are two patches filed for both Tomcat and Glassfish, the last one valid for jetty too. Please, if you have a voice in the Tomcat or Glassfish communities cast a vote for these, as they are a step towards a more secure web.

In case you need security NOW and cannot wait for the new release of your server (yep - that sounds definitely as me), we have included a patched jar for our rc2 release, which can be grabbed from subversion right now. The folder includes a jar that should be dropped into your server lib folder, a test JSP page, and instructions to use. Note that if you still want unescaped HTML content you can use <c:out escapeXml="false"> but that should be the exception, not the norm.

Well, have a secure summer - or something. Cheers!