Across the Oracle Banking Trade Finance Cloud Service application, context specific escaping has been used to sanitize the untrusted data. For HTML content, the below function takes care of escaping the probable tainted data:

public static String escapeHTML(String input);

Escaping the following characters, with HTML entity encoding, to prevent switching into any execution context, such as script, style, or event handlers has been done. Use of recommended hex entities is in place. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included as it helps to end an HTML entity.

& --> &

< --> &lt;

> --> >

" --> "

' --> '

/ --> /

public static String escapeJavaScript(String input);

This works in conjunction with rule#2. Except for alphanumeric characters in Oracle Banking Trade Finance Cloud Service, all characters less than 256 are escaped with the \xHH format to prevent switching out of the data value into the script context or into another attribute. No use of any escaping shortcuts like \" ,because the quote character may be matched by the HTML attribute parser which runs first. These escaping shortcuts are also susceptible to "escape-the-escape" attacks where the attacker sends \" and the vulnerable code turns that into \\" which enables the quote.

Oracle Banking Trade Finance Cloud Service encodes URL with the URLEncoder java class. It doesn’t check for a valid URL, but directly does URL encoding, and that encoding is based on the context of display.

Oracle Banking Trade Finance Cloud Service uses the HTTPOnly flag on the session cookie and any custom cookies that are not accessed by any JavaScript.