Spring EL injection and XSS concerns

**eeiswerth** · Apr 26th, 2012, 08:34 AM

All,

Is the following susceptible to XSS attacks?

Code:

<spring:message code="some.message.with.args" arguments="${userInput}"/>

Assuming that ${userInput} comes directly from the user or from the query string.

For example, if my URL is as follows: www.mysite.com/q=<script>alert('xss')</script>

and I do this in my JSP :

Code:

<spring:message code="some.message.with.args" arguments="${param.q}"/>

Is this a XSS vulnerability (i.e., will the script tags be interpreted by the browser)? I believe the answer to be yes.

Furthermore, I am under the impression that to protect against this, one would do the following:

Code:

<spring:message code="some.message.with.args" arguments="${fn:escapeXml(param.q)}"/>

Does this sound correct?

**arthomps** · Apr 29th, 2012, 12:32 PM

http://forum.springsource.org/showth...site-scripting

Imo, this should be better documented since it's generally a best practice.

Note, there's some other bad stuff that can happen with spring el (and similar apis) documented at http://www.springsource.com/security/cve-2011-2730

-Andy

Thread: Spring EL injection and XSS concerns

Thread Tools

Display

Spring EL injection and XSS concerns

Posting Permissions