2

i've got this in my web.xml 

 <context-param>
   <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
  </context-param>

and this in a jsp

 <spring:htmlEscape defaultHtmlEscape="true" />

Still I can put <font color="red">this is red</font>in a form and see red text on the website.

I am using EL and Taglibs to access my variables in the jsps. E.g. <h3>${someThing.title}</h3>

Why is this not working, what shall I do? Wrapping every EL-expression in some wrapper bloats the code and is very error prone...

Franz Kafka
  • 10,623
  • 20
  • 93
  • 149

2 Answers2

3
<c:out value="${someThing.title}" escapeXml="true"/>
Marcin Michalski
  • 1,266
  • 13
  • 17
  • 1
    that's what I don't want. No webdesigner can work with jsps full of that stuff... And if I forget putting that somewhere im prone to XSS. I want to set it once. – Franz Kafka Jun 06 '11 at 07:35
  • So maybe you could add a filter which would escape all request and session scoped parameters prior forwarding the call into jsp – Marcin Michalski Jun 06 '11 at 09:39
3

You are supposed to use <c:out> to escape your code in the JSP. I can see how you might think that's bloated, but you can use a tag file to reduce duplication. Alternatively, use the EL's fn:escapeXml function.

artbristol
  • 32,010
  • 5
  • 70
  • 103
  • Are these other things (content-param ...) useless? If it's really so hard to do every second site must be prone to XSS. Maybe I should look into that for a new income source :-) – Franz Kafka Jun 06 '11 at 07:45
  • Yeah it's a pain. See http://stackoverflow.com/questions/2147958/how-do-i-prevent-people-from-doing-xss-in-java. I think `defaultHtmlEscape` only applies to the output of Spring MVC JSP tags, not raw EL expressions. – artbristol Jun 06 '11 at 07:54