Reputation: 1376
XSS vulnerabilities <c:out> tags in JSP pages
When I do my fortify scan against my project JSP pages, Fortify complaining more XSS issues to fix the pages. It is complaining most of the places like:<c:out> statements. I tried with the function escapeXml from <%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %> using ${fn:escapeXml(path)} but this is printing entire text as it is.
Actually I have the code in my JSP as given below. I want to fix XSS vulnerability for <C:out value="${cdt}"/> tags.
<c:set var="checked">
checked="checked"
</c:set>
<c:set var="cdt" value="" />
<c:set var="dbt" value="" />
<c:choose>
<c:when test="${casesForm.institutionRepresents == 'C'}">
<c:set var="cdt" value="${checked}"/>
</c:when>
<c:when test="${casesForm.institutionRepresents == 'D'}">
<c:set var="dbt" value="${checked}"/>
</c:when>
</c:choose>
<div class="field LINK_show">
<label><bean:message key="label.institutions" /></label>
<div style="display:inline;padding-left:10px">
<input type="radio" name="institutionRepresents" value="A" <c:out value="${cdt}" />><bean:message key="label.credit" />
<input type="radio" name="institutionRepresents" value="I" <c:out value="${dbt}" />><bean:message key="label.debit" />
</div>
</div>
Is there any way to fix XSS vulnerability in <c:out> tags?
Upvotes: 1
Views: 13475
Answers (2)
Reputation: 18569
<c:out> already does html escaping, but this is not normally suitable for outputting an attribute. If a user had control over cdt, they could modify the attribute name, or value, or add extra attributes. Characters like spaces now become meta characters.
The way you've used it is ok though, because the value of cdt can't be directly manipulated by the user, but is set from a safe constant. It can only be checked="checked" or empty. You can disable escaping for that value because you want your quotes to be written directly as html.
Upvotes: 3
Reputation: 346
Check out this article on XSS for <c:out>
http://tech.finn.no/2011/04/08/xss-protection-whos-responsibility/
Also, here is a related question with a great answer that should help
Upvotes: 0
Related Questions
- XSS prevention in JSP/Servlet web application
- <c:out> tag is not showing up in JSP nor does it work
- Alternative to using c:out to prevent XSS
- How to sanitize HTML code to prevent XSS attacks in Java or JSP?
- Is usage of <c:out> tag with escapeXml="false" equivalent to not using <c:out> tag?
- How to remove this XSS from JSP?
- How to fix XSS vulnerabilites
- XSS attacks in jsp
- Java 5 HTML escaping To Prevent XSS
- protect jsp pages againt xss