Announcement Announcement Module
No announcement yet.
Questions on HTML escaping for XSS protection Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Questions on HTML escaping for XSS protection

    I have turned on HTML escaping globally for Spring tags and XML escaping for JSTL tags.
    From what i understand HTML escaping escapes a whole list of character defined by the HTML 4 standards and XML escaping escapes the Big Five i.e < > & " '. My current requirement will be to only enable xml escaping on spring tags as i am only interested in XSS prevention and not on other characters on the HTML standards list.
    When i use Spring and other tags in co-ordination i have the following issues
    <spring:message code="test" var="testvar" />
    <c:out value="${testvar}" />
    In the above cases characters like umlaut gets html escaped at the first instance and the escaped ampersand again gets xml escaped. The answer would naturally be to not double escape it but selectively marking some items as escape=false leads to a headache in security audit.
    Can anyone suggest a cleaner way of doing this? I have thought about a Custom message tag or patching the spring jar so that it accepts xml escape but that would be a last resort.