Does playframework 1.x handle cross site scripting (xss)?

Question

I'm using the playframework with version 1.2.5 and I have just a simple Question.

If I use for example:

public static User findByUsername(String username) {
    return User.find("username = ?", username).first();
}

So if I perform this call, does the "JPAQuery find()" or the playframework prevent cross site scripting and such things?

If not, what do I have easily to do for preventing it in all my database interactions?

Thanks a lot.

Cheers,

Marco

score 0 · Answer 1 · edited May 23 '17 at 11:55

0

Since version 1.0.1, Play’s template engine automatically escapes string. More details on this page: playframework owasp top 10

edited May 23 '17 at 11:55

Community

1
1

answered Jul 25 '12 at 19:45

Lodennan

1

In addition to this dont forget to check if its enabled in the application.conf file with "future.escapeInTemplates=true". See here http://www.playframework.org/documentation/1.1.1/security – Gambo Jul 31 '12 at 07:29

score 0 · Accepted Answer · answered Aug 15 '12 at 07:08

Cross-site scripting does not quite apply to the code you posted, so I suppose you mean SQL injection. In that case, the code you posted should be safe. (The wrong way would be to build the query by concatenating Strings with + operator.)

See here: http://www.playframework.org/documentation/1.2.5/security#sql

Does playframework 1.x handle cross site scripting (xss)?

2 Answers2