Monday, March 24, 2014

EL to avoid cross site scripting

If you have ${dataWhichInputByUser} on your jsp, it potentially has the threaten of cross site scripting. Because if the “dataWhichInputByUser” contains java script, for example <script>alert(‘abc’);</script>, the browser will execute the java script.
There are three ways to avoid it.
#1, always using c:out, the attribute escapeXml is true by default 
<c:out value="${user.name}"/>
#2, using fn:escapeXml to escaple the xml tag
${fn:escapeXml(user.name)}
#3, add a listener to escaple xml wherever ${} is used. Add the listener in web.xml 
<listener>
  <listener-class>com.github.pukkaone.jsp.EscapeXmlELResolverListener</listener-class>
</listener>
The listener java class could be found here

 
http://pukkaone.github.io/2011/01/03/jsp-cross-site-scripting-elresolver.html
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)