XSS vulnerability

[hindustani_ind]

What is the best way to secure the application against XSS vulnerabilties. Does Spring provide some controller to strip out all the possible combinations from the request

[kblibr]

hindustani_ind,
I had this big post about how you didn't tell us if you knew what a XSS attack was and an explanation about the nuts and bolts of one. But I really think it is your responsibility to research how a XSS attack really works, even attack your own project to help get into the mind of a hacker. You could also attend some seminars or training on how to do it.

But basically, you should escape any user input before it is displayed back to the browser and I have found that the java/jstl/core tags do just fine in this regard.

Your post is so vague that I think most people will not want to reply because it is too much work to explain this stuff in a forum. You really need to be trained on this kind of stuff.
Kblibr

[nestoru]

I think XSS protection is actually one of those parts of a Web Framework that should not be optional but a "must have it". I cannot understand why I could not find a straight explanation in a simple tutorial as to how to get protected against XSS attacks in Spring Framework. Having worked before with other frameworks I understand the importance to have this issue resolved from the Framework side.

I have included a full example using a couple of open source classes in my SpringMVC tutorial "CoC or Convention over Configuration in Spring MVC Framework" which you can find at "code dot google dot com slash p slash nestorurquiza slash wiki slash SpringMVCTutorial" (Can't post URLs in this forum)

I am sure Spring will ship sooner or later with XSS protection. Any rapid development framework out there has it or provide a straight solution for it.

I actually think hindustani_ind question is pretty clear and should be part of Spring MVC FAQ.

Cheers,

-Nestor