XSS (Cross-site Scripting) is one of the most common vulnerabilities with a web-application. And, it can be exploited by hackers very easily without using any sophisticated tool.
How does it work?
Most web-applications have forms (text-box etc.) to receive input-data from user. So, a web-application may have a input-text-field to get 'user-id'. The hacker may enter anything in it including "JavaScript". If the hacker enters JavaScript (a malicious code), the server may process it, and then return it. In this case, user-id is not authenticated and it is sent as it is on the error page.
If the user's input data is returned as it is, the java-script code may execute. And, hacker wins!!
I am posting solution for Spring…
In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.
- At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
- At page level, it is defined as a tag-declaration. The code is:
Any form-tag, after the above declaration uses html-escape-sequence-encoding.
<spring:htmlEscape defaultHtmlEscape="true" />
- Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :
<form:input path="name" htmlEscape="true" />
Depending upon requirement, it can be implemented as global, page or tag level.
I hope this information helps. Please do post your comments 🙂