Spring - cross site scripting

[buntyindia]

Hi,

How to handle cross side scripting in spring globally in a page or at application level.
If we want to individually handle in form we can make htmlEscape true in each filed but what If we want to make it globally true once for a page..

Please help....

Regards,

[buntyindia]

While Searching on the net...i get following


In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.

* At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:

<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>

* At page level, it is defined as a tag-declaration. The code is:

Any form-tag, after the above declaration uses html-escape-sequence-encoding.

<spring:htmlEscape defaultHtmlEscape="true" />

* Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :

<form:input path="name" htmlEscape="true" />

Depending upon requirement, it can be implemented as global, page or tag level.

on http://www.techcrony.info/?p=41 website.

Will this work or is there any change is suggested for this by you people?

[buntyindia]

This works fine for global settings.

PHP Code:

<context-param>
  <param-name>defaultHtmlEscape</param-name>
  <param-value>true</param-value>
</context-param> 


Site http://www.techcrony.info/?p=41 was a good resource.

[ew0kian]

interesting, thanks for posting this.

[buntyindia]

interesting, thanks for posting this.

you are welcome

[pgibbons]

I've tried the above (at web.xml, page, and control levels) without success. When displaying the values, the browser just executes the javascript or html tags as I enter them without doing any escaping.

I am displaying out the entered fields as ${varname}

web.xml has this:

Code:

   <context-param>
       <param-name>defaultHtmlEscape</param-name>
       <param-value>true</param-value>
   </context-param>

top of the pages (both input and display) have this:

Code:

<spring:htmlEscape defaultHtmlEscape="true"/>

the control has this:

Code:

<form:textarea id="varname" path="varname" htmlEscape="true"/>

What could I be doing wrong?

[egivler]

Did you ever get a solution to this? I'm using Freemarker with Spring as well, and unless I put the ?html on the field, or use the <#escape x as x?html>${variable}</#escape>, the html is not escaped properly.

The forms work fine, based on the setting of that context-param in web.xml.

[aofs]

* At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:



* At page level, it is defined as a tag-declaration. The code is:

Any form-tag, after the above declaration uses html-escape-sequence-encoding.



* Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :



Depending upon requirement, it can be implemented as global, page or tag level.

on http://www.techcrony.info/?p=41 website.

Will this work or is there any change is suggested for this by you people?

Hi,

I tried all 3 options on my project but no one seems to be work. if i input a javascript or an html header (h1) in a textarea, it will be rendered as well.
Is there another tweak how to get this work?

thanks
aofs