0

I have read a lot about the XSS attack and now I understood how it works then now I am trying to validate it. However I am having some problems :

Looking for many foruns I did :

1 - Download of jar jstl-1.2 2 - On .jsp page I have added : taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn"

And in the field that I am having problem I put the XMLSCAPE - so I would like to know if is the correct format :

<div class="ibm-container">
    <div class="ibm-container-body">
        <form action="order_status" class="ibm-column-form ibm-styled-form" method="post">
            <p><label for="customer">Customer number:</label>
            <span><input name="customer" id="customer" maxlength="7" value="${fn:escapeXml(customer)}" type="text" /></span></p>
            <div class="ibm-buttons-row">
                <table border="0px" cellpadding="0px" cellspacing="0px">
                    <tr>
                        <td width="180px"></td>
                        <td>
                            <p><input name="submit" value="<%=com.ibm.ssos.Constants.TEXT_GET_ORDERS%>" type="submit" class="ibm-btn-pri ibm-btn-small" />
                            <input name="action" value="<%=com.ibm.ssos.Constants.TEXT_GET_ORDERS%>" type="hidden" /></p>
Guilherme Marcondes
  • 51
  • 3
  • 1
    The escapeXML in the input tag – Guilherme Marcondes Oct 04 '18 at 03:38
  • Possible duplicate of [XSS prevention in JSP/Servlet web application](https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application) – Gray Oct 04 '18 at 21:47
  • Hey there! It looks like the linked question would answer your question, but if it doesn't could you explain why? Sorry if not, and welcome to StackOverflow! A good way of checking if your output is being properly encoded is to throw in some characters like `< > ' " &` and and viewing the source in your browser. They should show up as `< &rt; ' " &`. – Gray Oct 04 '18 at 21:48

0 Answers0