Abhijith Nagaraja
Reputation: 3380
XSS Cross Site Scripting - on JSP input tag
The following piece of code in my JSP caused a cross site scripting vulnerability on the input tag.
<td id="locale-block" align="left" style="visibility: hidden; height: 0;">
<input type="text" id="locale" name="locale" text="eng" value = "eng">eng
</td>
During Penetration testing they were able to alert some random message to the user by injecting a alert script in the value attribute of the tag as follows
</script><script>alert(1);</script><script>
What should be done to avoid this? Is there any simple solution which does not involve paid 3rd party paid library?
Upvotes: 0
Views: 1159
Answers (1)
Robin Jonsson
Reputation: 2851
There's actually a good 3rd party lib that takes care of sanitation pretty easily, called OWASP.
I first heard about it at JFokus 2014, from WhiteHat Security Jim Manico, in his speech about JAVA Security.
Check it out: here
Upvotes: 1
Related Questions
- XSS prevention in JSP/Servlet web application
- How to prevent XSS (Cross Site Scripting) whilst allowing HTML input
- Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP
- XSS Cross Site Scripting Reflected in JavaScript file
- XSS Cross Site Scripting - Jsp <Input> tag
- Protection against Cross site scripting on specific JSP and Servlet code
- Cross Site Scripting issue on jsp input tag
- XSS attacks in jsp
- Cross Site Scripting - Hidden Form Fields
- cross site scripting in JavaScript