I would like to create a rewrite condition which validate the QUERY_STRING to prevent from XSS.
My item look like:
/ItemPage.jsp?itemId=item_12345_12
where item_12345 is required and "_{VERSIONNUMBER} is optional in query string.
In the past I created a RewriteCond for many javascript parts which could be critical.
Example:
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} script [NC,OR]
RewriteCond %{QUERY_STRING} img [NC,OR]
RewriteCond %{QUERY_STRING} svg [NC,OR]
...
RewriteRule ^/ItemPage\.jsp?$ /StartPage.jsp [L,R=301]
After I found in the time of use many new possible strings to filter, the list grow more and more. And now I want to redirect all request, which don't use this schema to minimize the rules.
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} ^((?!itemId=[\w]).)* [NC,OR]
RewriteRule ^/ItemPage\.jsp?$ /StartPage.jsp [L,R=301]
But if I use this condition I'll be redirected all the time. ItemId is not required on ItemPage.jsp but if ItemId is set in query string it's required that ItemId=item_12345 + optional ItemId=item_12345_12.
Is that rule possible in Apache2.4 to filter XSS code?