Monday, March 24, 2014

EL to avoid cross site scripting

If you have ${dataWhichInputByUser} on your jsp, it potentially has the threaten of cross site scripting. Because if the “dataWhichInputByUser” contains java script, for example <script>alert(‘abc’);</script>, the browser will execute the java script.
There are three ways to avoid it.
#1, always using c:out, the attribute escapeXml is true by default
<c:out value="${}"/>
#2, using fn:escapeXml to escaple the xml tag
#3, add a listener to escaple xml wherever ${} is used. Add the listener in web.xml
The listener java class could be found here

No comments:

Post a Comment