I display strings in my JSP this way:
${someString}
this string may, of course, contain special html characters. Currently it is possible to HTML-inject malicious code (eg. if someString is a javascript include - <script src...>).
How can I make sure that all strings are escaped before printing?
I am using Spring MVC and JSP.
You can use JSTL core :
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
Use <c:out value="${someString}"/> tag to display Strings. <c:out> escapes HTML characters so that you can avoid cross-site scripting, you can specify that by setting the attribute escapeXml=true. Another advantage is that you can also provide a default value in case the value evaluates to null.
You can also use fn:escapeXml() EL function. You need to include JSTL functions for that .
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
Another possible way , will be build a custom ELResolver.
Enables customization of variable and property resolution behavior for EL expression evaluation.
This blog provides a working example of how it can be done.
For the entire Spring MVC app , you can specify the escaping in the web.xml:
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
But then the escaping applies only to the spring tags , like :
<form:input path="formField" htmlEscape="true" />
Lastly , you can try the third-party library XSSFilter.
You can also control this behaviour at page level using <spring:htmlEscape defaultHtmlEscape="true" />
In JSP/Java You should use this code:
In JSP/HTML:
<c:out value="TR tag </tr> Script Tag <script>alert("hello Rahul")</script>" escapeXml="true" />
