Announcement Announcement Module
No announcement yet.
Preventing Cross-site scripting attacks in Spring Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Preventing Cross-site scripting attacks in Spring


    I am looking to add a some strict cross-site scripting rules to my application which is based on Spring. I added the recommended html 'defaultHtmlEscape' to true and used the <c:out> tag, but there are still some things we would like to prevent. I decided to use the java html sanitizer from . This will require me to call the sanitizing function every where a parameter is read, which is changes in a lot of places. Is there a central place I can do this? Perhaps, a class through which all the parameters are parsed? I saw that the NamedParameterUtils is used internally in Spring to parse the parameters. Is there a way to extend it?

    I also tried the XSS filter from, but it does not satisfy all our security requirements.

    Is there any other way of doing this in Spring?

    Any pointers are greatly appreciated.



  • #2
    Instead of rolling your own I suggest you take a look at HDIV which integrates with spring 3.1 (due to some new hooks, older versions need some overriding of taglibs if I recall correctly). That has out-of-the-box support for XSS, CSRF, Data Integrity Checks etc.