0

I red this post and others about using JSTL in this matter.

My issue is a bit different. One of our features allows users to write hash-tags in their comments.

Whenever the comments are listed, a server script turns all #fooHastag becomes <a href='tag?fooHashtag'>#fooHashtag</a>.

Then all the comments are listen on the GUI using JSTL:

<c:forEach items="${comments}" var = "comment">
    ${fn:escapeXml(comment)}
</c:forEach

As expected this piece of code also escapes the hash links built on the server. If I remove the fn:escapeXml than the application won't be safe anymore.

Do you have any idea about a fix for this? (other than manually building a xss filter) It would be great if somehow I would be able to use JSTL's escapeXml on the server before converting the hashtags. Is there a way to do that?

Thank you!

Community
  • 1
  • 1
TGM
  • 1,659
  • 10
  • 30
  • 45

1 Answers1

1

Some of ways to solve it:

  • escape before adding the tags. Use a decent html encoder instead of escapeXml (HTML isn't even XML)

  • add tags, then run through owasp antisamy. No escaping

  • Move the tag to link functionality into javascript.

Erlend
  • 4,336
  • 22
  • 25