Java – How best to sanitize input in Java webapp


We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to make sure the output is not changed for malicious activities. Is there way while sending the output I could check if extra code has been sent. Like suppose there is search input field — the user gives something like <script>alert("I am here")</script>. Is there anway I could know this is a html tag. If the user appends an extra parameter to a link field, is there like a before and after check I could do for the document to realize there has been a extra link field.

Best Solution

You really should allow users to input as little HTML and/or javascript as possible. One good solution to validating and sanitizing this stuff is to use a ready-made library like OWASP AntiSamy.

Also, take a look at OWASP Enterprise Security API for a collection of security methods that a developer needs to build a secure web application.