TechQA.

How to properly escape this JSP code to avoid Stored XSS valnerabilities?

64 views Asked by At

These are flagged as having "Stored XSS vulnerabilities". Need to know how to properly escape the following to address this type of cross site scripting vulnerability?

out.print("<td headers=\""+headerIDs.get(i-1)+"\""+ (wrap?"":"nowrap")+">"+StringUtils.isNotEmpty(value)? value : "&nbsp;"+"</td>");

out.print("<td headers=\""+headerIDs.get(i-1)+"\""+ (wrap?"":"nowrap")+">"+StringUtils.escapeXML(value, "&nbsp;")+"</td>");

I've seen a couple possible solutions but not sure which one is the better one?

StringUtils.renderSafeHtml(...)

Encoder.forHtml(...)

My teammates are using renderSafeHtml(...) to address the other kinds of XSS vulnerabilities in our code, so I prefer to use this one. However, all the examples I've seen online suggest Encoder.forHtml(...) for "Stored XSS".

Bear in mind org.springframework.web.util.HtmlUtils.htmlEscape is not an option since we use Struts.

java security jsp xss struts
Original Q&A
0

There are 0 answers

Related Questions in JAVA

Related Questions in SECURITY

Related Questions in JSP

Related Questions in XSS

Related Questions in STRUTS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions