I have integrated the JSoup HTML Cleaner library into a custom request filter within my Spring MVC application in order to sanitize inputs (to help mitigate XSS vulnerabilities).
It works great, but I m running into a particular instance where XML is submitted to the server-side as a form ( application/x-www-form-urlencoded ) and the JSoup Cleaner strips all of the XML tags. It doesn t look like I can whitelist XML tags (as you can with HTML tags in JSoup).
What s the correct way to handle this situation?
- I don t want to add a conditional that ignores any input starting with <SampleXML>, as the XML structure can change in the future. Also, I think it introduces a vulnerability from an attacker s perspective.
- Or, I can change the request to be of content-type application/xml
Do I need to worry about sanitizing XML? Perhaps I shouldn t be accepting raw XML in the first place? The reason that I m doing it is because I m using a JavaScript library that generates it, and its convenient to store the generated XML directly into my database. Then, when the user needs to recall that data, I simply fetch the XML from the database and load it back into the library s JavaScript object. I know that convenience and security don t go hand-in-hand, however...
