XSS (Cross-site Scripting) is one of the most common vulnerabilities with a web-application. And, it can be exploited by hackers very easily without using any sophisticated tool.
How does it work?
If the user's input data is returned as it is, the java-script code may execute. And, hacker wins!!
I am posting solution for Spring…
In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.
- At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:
- At page level, it is defined as a tag-declaration. The code is:
Any form-tag, after the above declaration uses html-escape-sequence-encoding.
<spring:htmlEscape defaultHtmlEscape="true" />
- Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :
<form:input path="name" htmlEscape="true" />
Depending upon requirement, it can be implemented as global, page or tag level.
I hope this information helps. Please do post your comments 🙂