0

I have a situation here: I have a page which is using <c:out> to show data from DB, in which the content has some special characters as Registered Trademark .I am using java, jsp, jstl in my code. The registered trademark symbol is displayed as :

®

The imports are exactly perfect like :

 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>

If I print using the code below, it displays the correct registration mark, but the thing is that, it causes security violation.

 <c:out escapeXml="false" value="${prName}"/>

I am using veracode to scan my code, since i have given here : escapeXml="false", veracode points out that this is a vulnerability .

So when I remove the escapeXml, it displays as it is like :

 <span class="sup">&reg;</span>

Kindly suggest me a way out of this problem ? Any help is deeply appreciated .

The Dark Knight
  • 5,455
  • 11
  • 54
  • 95

1 Answers1

0

Because you allow tags in your page it is treated as vulnerability.

Instead of writing

<span class="sup">&reg;</span>

you could write

<script>alert("Alert");</script>

which would be a persistent XSS.

Try to refactor your code to not include any tags inside your value from the database. Else be sure that the value from the database is sanitized.

Uwe Plonus
  • 9,803
  • 4
  • 41
  • 48
  • The DB is maintained by a third party vendor and not under my own control, hence can't change the DB value. I have got to show the trade mark in the page after i retrieve it from DB. The DB contains XML values, if they are not escaped the actual value is not printed in the page. In that vein, how can i sanitize the value that i retrieve from DB ? – The Dark Knight Jul 15 '13 at 10:12
  • You should use some library like [ESAPI](https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API) for sanitizing input. Also note that retrieving data from a database that is not under your control is also input from an external source. – Uwe Plonus Jul 15 '13 at 10:17
  • What about using `jsoup` ? Will it help ? http://stackoverflow.com/questions/4206850/how-to-prevent-javascript-injection-xss-when-jstl-escapexml-is-false?rq=1 – The Dark Knight Jul 15 '13 at 10:21