smali
Reputation: 4805
Are there any drawbacks of using JSTL tags for escaping XML for XSS prevention
I want to sanitize the text which will be sent to user (browser) by the server using these jsp tags.
got idea after reading this post XSS prevention in JSP/Servlet web application
<c:out value="${bean.userControlledValue}">
<input name="foo" value="${fn:escapeXml(param.foo)}">
But I have many jsp pages and I want to perform search for tags or <p> and add these escaping tags so, Is it good to do this or is any drawback or precaution we need to care of.
Upvotes: 1
Views: 139
Answers (1)
alain.janinm
Reputation: 20065
I don't see any drawbacks or precautions to care of. If you want to be sure, the best is to read the actual source code :) org.apache.taglibs.standard.functions.Functions
Upvotes: 1
Related Questions
- XSS prevention in JSP/Servlet web application
- Is usage of <c:out> tag with escapeXml="false" equivalent to not using <c:out> tag?
- What is the difference between escapeXml and escapeHtml?
- Escape sequences in XML
- XSS Escape characters before taking data into java. JSTL
- Do JSTL tags automatically escape HTML?
- JSTL escapeXml default
- How to prevent JavaScript injection (XSS) when JSTL escapeXml is false
- Java 5 HTML escaping To Prevent XSS
- Escaping html in Java