10

Inside a jsp page, I have a input value attribute which is filled this way:

value="${param.name}"

It is vulnerable to a XSS attack if someone manage to put something

"><script>doEvil();</script>

How do I properly escape the value of param.name to fix the vulnerability ?

Samuel Rossille
  • 18,940
  • 18
  • 62
  • 90

1 Answers1

6

Use JSTL fn:escapeXml() function.

<%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
...
<input value="${fn:escapeXml(param.name)}" />

An alternative is using a decent MVC framework offering taglibs to represent HTML input elements which already implicitly escape XML/HTML,such as JSF and Spring MVC, so that you don't need to repeat the same over all place and worry about accidently overlooking one.

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • 2
    Thank you. Most of our client code is on the client side and gets data with ajax request that are processed with appropriate APIs on the client side, but we have a couple of legacy jsp from a very long time ago that we have not migrated yet. – Samuel Rossille Sep 27 '13 at 17:26
  • I found a reminder on the danger of using just HTML escaping in the attribute values after looking through a recent paper, https://arxiv.org/ftp/arxiv/papers/1804/1804.00754.pdf . Its authors used automation to find a chance to inject malicious javascript in event handler attributes such as `onclick='myfunc()'`. Injecting `42);alert(1);(42` will result in executing the malicious payload `alert(1)`. – eel ghEEz Aug 22 '18 at 17:28
  • Luckily the majority of server-to-javascript-handler embedding occurs as part of a Javascript string e.g. in `onclick='myfunc("...")'`. In that case applying a Javascript string encoder (with an HTML encoder on top if the former does not cover the latter) will suffice. – eel ghEEz Aug 22 '18 at 23:18