There are three ways to avoid it.
#1, always using c:out, the attribute escapeXml is true by default
<c:out value="${user.name}"/>#2, using fn:escapeXml to escaple the xml tag
${fn:escapeXml(user.name)}#3, add a listener to escaple xml wherever ${} is used. Add the listener in web.xml
<listener> <listener-class>com.github.pukkaone.jsp.EscapeXmlELResolverListener</listener-class> </listener>The listener java class could be found here
http://pukkaone.github.io/2011/01/03/jsp-cross-site-scripting-elresolver.html
No comments:
Post a Comment