I am developing a JavaEE application using EJB container and EJB.
Suppose I have class Student:
class Student{
private int id;
private String resume;
public void clearXss(){
///some logic to clear resume from js scripts
}
}
I have a standalone client and JavaEE server. Client conntects via RMI to EJB container. Client passes objects of Student class.
My question: is it safe to call clearXss on the object method, or it's necessary do an external method? I mean:
class MyBean{
private void save(Student student){...}
public void saveStudent(Student student){
sudent.clearXss();
save(student);
}
}
vs
class MyBean{
private void save(Student student){...}
private String purifyXss(String string){...}
public void saveStudent(Student student){
student.setResume(purifyXss(student.getResume()))
save(student);
}
}
What I am afraid of is to call security methods of objects we get from untrusted client. That's why this is primary security question.
It's not simple question. On one hand you are fair enough worried about code injection at server side. On other hand as far as I know in RMI technology client object will be serialized only class data without methods on client side and restored (deserialized) on server side with server version of the class, and then both variants are safe against method injection on server side.