0

There is web project with lost <%=%> in it, which are not XSS safe! Is there any approach which can be used to fix them all?

If you have jsp web projects with lots of %{} you can change the EL resolver functionality to override the default ELResolver and make ${} XSS safe. Please see https://github.com/pukkaone/webappenhance

Is there a same way for <%=> ?! Can we override the functionality of <%=%> the same way as ${} ??

I see some guides at Java 5 HTML escaping To Prevent XSS.

Community
  • 1
  • 1
Alireza Fattahi
  • 42,517
  • 14
  • 123
  • 173
  • Do you mean printing the expressions in jsp using this statement `<%=%>` ? – Santhosh Apr 30 '14 at 05:20
  • yes! They use <%=%> to print in jsp – Alireza Fattahi Apr 30 '14 at 05:24
  • So you need to avoid xss while printing the values in jsp . this may be unrelated to your question . please see [How to avoid java codes in jsp](http://stackoverflow.com/questions/3177733/how-to-avoid-java-code-in-jsp-files) – Santhosh Apr 30 '14 at 05:27
  • So it is better to use `c:out` tag instead of it . and for your question [see this thread](http://stackoverflow.com/questions/17339439/how-to-avoid-xss-in-this-cout) – Santhosh Apr 30 '14 at 05:30
  • 1
    @sankrish the problem is that the project is already developed (long time ago). They wrongly, used `<%=%>`. Of course we can change all `<%=%>` to `c:out` but needs lots of works, this is why I am looking for other solutions – Alireza Fattahi Apr 30 '14 at 05:36
  • using `jstl` would be the straight forward approach . Any reasons for your worrying about `<%=%>` expression. how they are vulnerable , do you print any user inputs or strings inside it ? – Santhosh Apr 30 '14 at 05:47

1 Answers1

1

No you cannot. <%= expr %> is a basic construct that prints the value as is; someone may need it to dump raw HTML snippets

<%= article.getBodyHtml %>