I am trying to resolve a cross site scripting exception in my code. I'm getting an XSS error at line where I was using JSP expression inside a JS code
ex: inside a JS function
function ex(){
.....
var loc = '<%= location.getLocDetails()>';
.....
}
Please let me know, if you have any solution/workaround?
Note: location.getLocDetails() returns a String
There's only means of XSS risks if location.getLocDetails() can return user-controlled input. If it for example returns the value straight from the HTTP Accept-Language header without any syntax checking or escaping, then there's indeed means of XSS risks.
You should always escape user-controlled input during display, at least every input which can to a certain degree be controlled by the client, including HTTP request headers and request URL's. It is basically is fairly simple, just use a display tool which escapes HTML entities <, >, " and '.
In case of JSP, easiest way is to use JSTL (just drop jstl-1.2.jar in /WEB-INF/lib if not done yet) <c:out> tag for this. Thus the particular line should be replaced by (assuming that location is already available in page, request, session or application scope):
var loc = '<c:out value="${location.locDetails}" />';
That said, it's right high time to get rid of all scriptlets in your JSP file, it would only make it better :) To learn more about JSTL, read this.
<input value="${fn:escapeXml(foo)}">, then fn:escapeXml is nicer. If outside, it doesn't matter to me. The c:out has however as being a tag the advantage that you can put multiple expressions in it.
location.getLocDetails()returns? How does the source look like when the JS is run, and what is the url of your site? Are you really getting an error on that line, or on the line you're trying to useloc?