Announcement Announcement Module
No announcement yet.
XSS vulnerability Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • XSS vulnerability

    What is the best way to secure the application against XSS vulnerabilties. Does Spring provide some controller to strip out all the possible combinations from the request

  • #2
    I had this big post about how you didn't tell us if you knew what a XSS attack was and an explanation about the nuts and bolts of one. But I really think it is your responsibility to research how a XSS attack really works, even attack your own project to help get into the mind of a hacker. You could also attend some seminars or training on how to do it.

    But basically, you should escape any user input before it is displayed back to the browser and I have found that the java/jstl/core tags do just fine in this regard.

    Your post is so vague that I think most people will not want to reply because it is too much work to explain this stuff in a forum. You really need to be trained on this kind of stuff.


    • #3
      I think XSS protection is actually one of those parts of a Web Framework that should not be optional but a "must have it". I cannot understand why I could not find a straight explanation in a simple tutorial as to how to get protected against XSS attacks in Spring Framework. Having worked before with other frameworks I understand the importance to have this issue resolved from the Framework side.

      I have included a full example using a couple of open source classes in my SpringMVC tutorial "CoC or Convention over Configuration in Spring MVC Framework" which you can find at "code dot google dot com slash p slash nestorurquiza slash wiki slash SpringMVCTutorial" (Can't post URLs in this forum)

      I am sure Spring will ship sooner or later with XSS protection. Any rapid development framework out there has it or provide a straight solution for it.

      I actually think hindustani_ind question is pretty clear and should be part of Spring MVC FAQ.