Alireza Fattahi
Reputation: 45553
Overriding default <%=%> in JSP to prevent XSS Hack
There is web project with lost <%=%> in it, which are not XSS safe! Is there any approach which can be used to fix them all?
If you have jsp web projects with lots of %{} you can change the EL resolver functionality to override the default ELResolver and make ${} XSS safe. Please see https://github.com/pukkaone/webappenhance
Is there a same way for <%=> ?! Can we override the functionality of <%=%> the same way as ${} ??
I see some guides at Java 5 HTML escaping To Prevent XSS.
Upvotes: 0
Views: 257
Answers (1)
user3588002
Reputation:
No you cannot. <%= expr %> is a basic construct that prints the value as is; someone may need it to dump raw HTML snippets
<%= article.getBodyHtml %>
Upvotes: 1
Related Questions
- How do I prevent people from doing XSS in Spring MVC?
- How to sanitize HTML code to prevent XSS attacks in Java or JSP?
- Escape <%%> In jsp
- how to stop XSS from non string parameter
- How to escape values from HTML attribute inside jsp to avoid XSS attack?
- how to skip % sign on jsp?
- XSS attacks in jsp
- Java 5 HTML escaping To Prevent XSS
- protect jsp pages againt xss
- Is there Java counterpart for Aspnet 4's <%: %> XSS prevention?