Reputation: 597402
Spring MVC defaultHtmlEscape - does it work on the way in or out?
When I set defaultHtmlEscape to true in web.xml, the values set in all input fields get escaped.
But when they are submitted, the values are not escaped.
So, is it true that this parameter is only for outputting, and does not include the submission of parameters (and so, if I want to store xss-safe values in the database, I should do something else)
Upvotes: 8
Views: 12976
Answers (2)
Reputation: 242786
Default HTML escape setting for input fields is already true, so that true means the behaviour you get by default.
Moreover, I guess if you want to store xss-safe values in the database you need to set it to false in order to avoid double escaping.
So, you need something different to achieve escaping on input, perhaps a filter. Though I don't think that input escaping is a good idea, consistent output escaping looks more reliable, and doesn't create problems with processing data in the database.
Upvotes: 6
Reputation: 89209
I think that to escape form input, once should do:
<form:input path="someProperty" htmlEscape="true" />
Upvotes: 1
Related Questions
- How to set defaultHtmlEscape to true without XML in Spring MVC?
- Spring mvc- thymeleaf
- Using Spring MVC with html
- Spring MVC working with .html
- New to Spring MVC: Is an html file being created on the fly here?
- Spring defaultHtmlEscape doesn't prevent xss attack
- Spring MVC 4 with XHTML?
- Usage of defaultHtmlEscape web.xml in JSTL
- HTML page and Spring
- How does Spring MVC determine which .xhtml to associate with a given controller