Safe way to send value from jsp to javascript

Question

I have to secure a java web application against XSS attacks. There are parts of the code that look like this:

<script>
  jsvariable = ${jspvariable}
  use(jsvariable)
<script>

My first tough was to do something like this:

<script>
  jsvariable = ${fn:escapeXml(jspvariable)}
  use(jsvariable)
<script>

But escapeXml doesn't avoid XSS inside a script tag. What's the correct way to send a value from jsp to javascript.

@dandavis What if the data is `"hello"); alert("XSS");`? This is the kind of scenario I'm trying to defend against. — jspurim, Aug 17 '14 at 18:51
[Use a Content Security Policy and put the JavaScript in external files](http://stackoverflow.com/questions/21428259/secure-way-of-inserting-dynamic-values-in-external-javascript-files). — SilverlightFox, Aug 18 '14 at 08:02

score 3 · Accepted Answer · answered Aug 17 '14 at 19:07

3

You could write your jsp data in a text/json block which will be ignored by the browser:

<script id="demo" type="text/json">
  ${jspvariable}
</script>

You can then parse the values in your javascript file on dom ready:

console.log(JSON.parse(document.getElementById('demo').innerHTML));

A XSS injection could lead only to a JSON parse error

answered Aug 17 '14 at 19:07

jantimon

Actually what about this case: `jspvariable = {} – jspurim Aug 18 '14 at 01:56
2

You should combine it with CSP and disallow any inline javascript: http://www.html5rocks.com/en/tutorials/security/content-security-policy/?redirect_from_locale=de – jantimon Aug 18 '14 at 06:29

1 Answers1