Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



Avoiding XSS scripting

  • In JSPs, use a core.OutTag  for every string type attribute (or even for every variable)
    • Example: instead of this:

      Code Block
      <li>${identifier.identifier} ${}</li>
    • write this:

      Code Block
      <li><c:out value="${identifier.identifier}" /> <c:out value="${}" /></li>
  • StringEscapeUtils.escapeJavaScript() and StringEscapeUtils.escapeHtml() to escape any user-generated data in pages.
    • StringEscapeUtils is an Apache class and its java doc can be found here
  • In the reference application (with the UI framework), use ui.escapeJs(), ui.escapeHtml(), and ui.escapeAttribute()