Reputation: 8477
XSS prevention in playframework1.2.4
As per the documentation on XSS ,I included the following line in application.conf
future.escapeInTemplates=true
In my webapp,a user can add comment to a page.A textfield accepts text input from user and saves it to the db.I entered the following line as comment
<script> alert('hi') </script>
This gets saved in the db as it is , and displays the same in the browser.No alert popup occurs.Does that mean the XSS problem is not occurring? Even without adding the escapeInTemplates=true in application.conf ,the program gives the same behaviour.
There were some warnings elsewhere about saving unsanitized html to database.So,should I use something like Jsoup to sanitize the user input before saving it to the db?
Upvotes: 1
Views: 254
Answers (1)
Reputation: 9015
The escapeInTemplate does not prevent html from being saved, it escapes it when rendered in the template. From the Play Framework 1.2.4 docs:
Play’s template engine automatically escapes strings. If you really need to insert unescaped HTML in your templates, you can do so using the raw() Java extension on the string. But if the string comes from a user input, you need to make sure it is sanitized first.
So when the html is displayed in the template, the <SCRIPT> tag gets escaped to
<SCRIPT>
Upvotes: 1
Related Questions
- multiple content security policies on play framework
- How to prevent XSS in play framework 2?
- Play 2.5 disable csrf protection for some requests
- Guide to proper escaping in Play framework
- How to avoid apps from XSS attacks?
- Change the Secure.java class of the play framework
- Safe html in java
- Java Play2- Preventing CSRF
- Cross-Site Scripting and Web Parameter Tampering prevention in Playframework
- Trouble with Play Framework Security