0

Is it possible to perform an Xss attack from HttpServletResponse.setHeader, HttpServletResponse.addHeader or HttpServletResponse.addCookie?

Thanks.

zbengg
  • 41
  • 2
  • What you've asked is a yes/no question. I suspect that that's not the answer you're looking for, so you should edit your question to reflect what you _really_ want to know. – Michael Feb 09 '16 at 10:20
  • This is your least concern. Focus on sanitizing user controlled input when embedding it in generated HTML output. Exactly there at the place where it can **actually** harm. [For that you've and ${fn:escapeXml()}](http://stackoverflow.com/q/2658922). Performing preventive measures elsewhere (e.g. servlet filter which cleans all request parameters beforehand, etc) is bordeline ridiculous as it goes overboard and only causes overhead/confusion/loss-of-control. – BalusC Feb 09 '16 at 12:12

0 Answers0