0

I want to escape all outgoing content sent to the broswer. Unfortunately, it is not possible to add a tag and modify jsp's at this stage. I have an interceptor which can be modified. But I'm not sure how i can get hold of the Result as it is not yet generated, when the last interceptor runs.

Is there anyway to get hold of the content sent back to the browser, so that i can escape the content. It need not be an interceptor, all i want is to put this 'escaping' code to run on all outgoing content.

Matt Ball
  • 354,903
  • 100
  • 647
  • 710
Voicestreams
  • 73
  • 2
  • 9
  • If modifying your JSPs isn't an option, then you can escape incoming String parameters in a custom parameters interceptor. I'm not sure how would reliably escape fields after the JSP output was rendered. – Steven Benitez Aug 01 '11 at 03:28
  • There is no easy way out. You have to escape every piece of content diligently. Possible duplicate of http://stackoverflow.com/questions/3638619/prevent-xss-attacks-site-wide – Sripathi Krishnan Aug 01 '11 at 10:28

1 Answers1

0

There are few issues taken care in latest release of strust2(2.3.1), i do not have much idea about XSS have look at the following issues may be they can give me some idea

XSS vulnerability in javatemplates plugin

Struts 2 XSS vulnerability

Umesh Awasthi
  • 23,407
  • 37
  • 132
  • 204