Spring MVC - Is there a way to sanitize user inputs without needing c:out on every JSP page?

Question

I'm trying to secure my Spring MVC web app against cross-site scripting (XSS) attacks.

At first I thought I could simply set defaultHtmlEscape in my web.xml and be done. But I found that had no effect. As explained here -- Spring or App-Server escape html isn't working JAVA MVC, defaultHtmlEscape has no effect on INPUTS. It only sanitizes OUTPUTS within c:out tags.

So then I figured I'd write a filter to intercept requests, examine the parameters, and sanitize them as needed. But while looking into how to write the filter, I came across this -- XSS Filter to enctype="multipart/form-data" forms. It includes comments suggesting that filtering inputs is a bad idea, and that I should stick to filtering outputs.

Several posts mention HDIV and other third-party security solutions, but I'd rather not introduce a new third-party dependency to my project for something as basic as sanitization.

But filtering outputs seems inconvenient and error-prone. Are all the developers who touch my web app expected to remember to use c:out for EVERY output value on EVERY JSP page? Surely a global setting would be better? What's the best practice here?

Thanks in advance for your advice.

Answer 1

This is a big question. There is no easy or automatic way to do it. Every developer on your team should understand the basic aspects of this. The best practices are going to include input validation and output escaping.

Additionally, if you handle input that is expected to be html markup, you will have additional complications. AntiSAMY is a good place to go for that.

This article is a good place to start: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet