Results 1 to 2 of 2

Thread: Spring EL injection and XSS concerns

Threaded View

  1. Apr 26th, 2012, 08:34 AM #1
    eeiswerth
    eeiswerth is offline Junior Member
    Join Date
    Apr 2012
    Posts
    4

    Default Spring EL injection and XSS concerns

    All,

    Is the following susceptible to XSS attacks?

    Code:
    <spring:message code="some.message.with.args" arguments="${userInput}"/>
    Assuming that ${userInput} comes directly from the user or from the query string.

    For example, if my URL is as follows: www.mysite.com/q=<script>alert('xss')</script>

    and I do this in my JSP :

    Code:
    <spring:message code="some.message.with.args" arguments="${param.q}"/>
    Is this a XSS vulnerability (i.e., will the script tags be interpreted by the browser)? I believe the answer to be yes.

    Furthermore, I am under the impression that to protect against this, one would do the following:
    Code:
    <spring:message code="some.message.with.args" arguments="${fn:escapeXml(param.q)}"/>
    Does this sound correct?
    Last edited by eeiswerth; Apr 26th, 2012 at 12:08 PM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules