XSS attacks in jsp

Question

Hi I have a jsp page in which following lines

if(Exception err) {
  out.println (err.getMessage() + "<br/><br/>");
}

may get XSS attacks i want to it just display the above things without any XSS attacks Any thought ?

unless I'm missing something (e.g. there is code you meant to post that got lost) there are no variables, parameters or SQL used in the above code that could be hijacked. — scunliffe, Feb 24 '11 at 11:20
The code you've shown is not prone to XSS as there's nothing dynamic in it. Please post something more resembling your real code if you want help. — Don Roby, Feb 24 '11 at 11:20
@scunlife, if err.getMessage() contains data from the user (ex. wrong input) than there is a possibility of XSS. — RealHowTo, Feb 24 '11 at 12:25

score 3 · Answer 1 · edited May 23 '17 at 12:11

3

use c:out tag.

Also See

edited May 23 '17 at 12:11

Community

answered Feb 24 '11 at 11:19

jmj

it's not possible to write scriptlet in c:out tag – Neeraj Feb 24 '11 at 12:44
2

It is also not recommended to write scriptlet in jsp. what you want to write exactly ?? – jmj Feb 24 '11 at 12:46

score 0 · Answer 2 · answered Feb 24 '11 at 23:08

0

Apache Commons provides StringEscapeUtils, see the escapeHtml() method

answered Feb 24 '11 at 23:08

RealHowTo

2 Answers2