How to Fix XSS on hidden fields

Question

There is XSS vulnerability in one of the JSP file, where we have used hidden fields. Thus following hidden fields are vulnerable to xss:

   <input type="hidden" name="input1" value="<%=dummyInputValue%>"/>
   <input type="hidden" name="input2" value="<%=dummyInputValue1%>"/>

where dummyInputValue comes from request object..something like below request.getParameter("dummyInputValue")

I am not sure how to fix this fields to avoid xss vulnerability. Kindly help me on this.

By accessing the following URL (example):

Triggering the XSS requires alt+shift+x (windows) or ctrl+alt+x (max).

Show your JSP code. Anyway, you can start here: https://stackoverflow.com/a/2658941/3511123 — Jozef Chocholacek, Apr 25 '19 at 10:15
sorry Jozef, I have updated JSP code for the hidden fields now — rocky, Apr 25 '19 at 10:54
Thank you Jozef, your reference link fixed my issue adding the JSTL code "/> ..Sorry, I am not sure how to format the code while adding comment — rocky, Apr 25 '19 at 11:39

score 0 · Answer 1 · answered Apr 25 '19 at 11:46

I fixed the issue, after reading the comment given by Jozef. XSS is prevented in JSP by using JSTL tag. That is by changing the code as below

<%@ taglib uri = "http://java.sun.com/jsp/jstl/core" prefix = "c" %>
<input type="hidden" name="input1" value="<c:out value="${dummyInputValue}"/>"/>

1 Answers1