Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Security

Avoiding XSS scripting

  • In JSPs, use a core.OutTag  for every string type attribute (or even for every variable)
    • Example: instead of this:

      Code Block
      languagehtml/xml
      <li>${identifier.identifier} ${identifier.identifierType.name}</li>
    • write this:

      Code Block
      languagehtml/xml
      <li><c:out value="${identifier.identifier}" /> <c:out value="${identifier.identifierType.name}" /></li>
  • StringEscapeUtils.escapeJavaScript() and StringEscapeUtils.escapeHtml() to escape any user-generated data in pages.
    • StringEscapeUtils is an Apache class and its java doc can be found here
  • In the reference application (with the UI framework), use ui.escapeJs(), ui.escapeHtml(), and ui.escapeAttribute()

...