Alternative to using c:out to prevent XSS

Posted by lynxforest on Stack Overflow See other posts from Stack Overflow or by lynxforest
Published on 2010-12-16T21:34:17Z Indexed on 2011/01/06 6:53 UTC
Read the original article Hit count: 251

Filed under:
|
|
|
|

I'm working on preventing cross site scripting (XSS) in a Java, Spring based, Web application. I have already implemented a servlet filter similar to this example http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/ which sanitizes all the input into the application. As an extra security measure I would like to also sanitize all output of the application in all JSPs. I have done some research to see how this could be done and found two complementary options.

One of them is the use of Spring's defaultHtmlEscape attribute. This was very easy to implement (a few lines in web.xml), and it works great when your output is going through one of spring's tags (ie: message, or form tags). The other option I have found is to not directly use EL expressions such as ${...} and instead use <c:out value="${...}" />

That second approach works perfectly, however due to the size of the application I am working on (200+ JSP files). It is a very cumbersome task to have to replace all inappropriate uses of EL expressions with the c:out tag. Also it would become a cumbersome task in the future to make sure all developers stick to this convention of using the c:out tag (not to mention, how much more unreadable the code would be).

Is there alternative way to escape the output of EL expressions that would require fewer code modifications?

Thank you in advance.

© Stack Overflow or respective owner

Related posts about security

Related posts about spring