0

I have Jsp and Struts 2 based application where we have used jstl to render the output. Now if in any of the get APIs i am giving the request param as jsp expression. For eg :

http://localhost:8090/inputParam.do?searchVal=${pageContext.servletContext.serverInfo}

and the request param searchVal is as it is returned by the controller which is rendered on the JSP as 

var gText = '<c:out value="${searchVal != null ? searchVal :''}"/>';

The above line is actually dynamically rendering the searchVal jsp expresion and giving the output as JBoss Web/7.5.28.Final-redhat-1 and the vulnerability scanner is considering the above behavior as vulnerability.

Hi can i fix this?

Dave Newton
  • 158,873
  • 26
  • 254
  • 302
viv kumar
  • 252
  • 4
  • 13
  • You're rendering raw data into JavaScript meaning there's a direct path to JS injection. Even if it contained a single quote it would break your JS. At the very least you'd need to escape all quote styles. – Dave Newton Mar 27 '20 at 15:53
  • @DaveNewton So in that case if I will just write as without assigning it to any js variable then in this case it will not result into any vulnerability? – viv kumar Mar 27 '20 at 16:08
  • It depends on context. If it's JS it doesn't matter if it's assigned or not. If it's in HTML then normal tag escaping applies. – Dave Newton Mar 27 '20 at 16:47
  • I am not sure why this question is marked as duplicate. @DaveNewton can you please give an example what all things should be escaped in the above example. – viv kumar Mar 30 '20 at 17:31

0 Answers0