You'd as being a site admin really like to know which users/IPs are trying to perform XSS, so that you can easily track them and take actions accordingly. You'll also lose social control because you don't know anymore what the user has actually filled in. when exporting data to JSON, CSV, XLS, PDF, etc which doesn't require HTML-escaping at all). & becomes & instead of & and ultimately the enduser would see & being presented), or that the DB-stored data becomes unportable (e.g. Some may opt to escape them during request processing (as you do in Servlet or Filter) instead of response processing (as you do in JSP), but this way you may risk that the data unnecessarily get double-escaped (e.g. Note that you don't need to escape them in the Java (Servlet) code, since they are harmless over there. This will escape characters which may malform the rendered HTML such as, ", ' and & into HTML/XML entities such as <, >, ', ' and &.Also the user-controlled input from previous requests which is stored in a database needs to be escaped during redisplaying. Anything which you extract from the request object. This includes request parameters, headers, cookies, URL, body, etc. XSS can be prevented in JSP by using JSTL tag or fn:escapeXml() EL function when (re)displaying user-controlled input.
0 Comments
Leave a Reply. |