Removing script tags from a string in Java


It is important to strip out script tags from input if the input will be displayed to avoid cross-site script injections.  The Java method below uses a regular expression to identify valid script tags and removes them from the string while leaving the script code between the starting and end tags.

private static String removeScriptTags(String message) {
      String scriptRegex = "<(/)?[ ]*script[^>]*>";
      Pattern pattern2 = Pattern.compile(scriptRegex);

      if(message != null) {
            Matcher matcher2 = pattern2.matcher(message);
            StringBuffer str = new StringBuffer(message.length());
            while(matcher2.find()) {
              matcher2.appendReplacement(str, Matcher.quoteReplacement(" "));
            }
            matcher2.appendTail(str);
            message = str.toString();
      }
     return message;
}
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s