Menu
Inside a jsp page, I have a input value attribute which is filled this way:
value="${param.name}"
It is vulnerable to a XSS attack if someone manage to put something
"><script>doEvil();</script>
How do I properly escape the value of param.name to fix the vulnerability ?
975
Escaping from XSSEscaping is the primary means to avoid cross-site scripting attacks. When escaping, you are effectively telling the web browser that the data you are sending should be treated as data and should not be interpreted in any other way.
No. Putting aside the subject of allowing some tags (not really the point of the question), HtmlEncode simply does NOT cover all XSS attacks.
The short answer is no, it's not enough. The long answer is it depends on the context of where the user data goes. In an attribute it definitely will not be safe. In the body of certain tags, etc...
In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures: Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input. Encode data on output.
Use JSTL fn:escapeXml() function.
<%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
...
<input value="${fn:escapeXml(param.name)}" />
An alternative is using a decent MVC framework offering taglibs to represent HTML input elements which already implicitly escape XML/HTML,such as JSF and Spring MVC, so that you don't need to repeat the same over all place and worry about accidently overlooking one.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
