0

The following piece of code in my JSP caused a cross site scripting vulnerability on the input tag. 

<td id="locale-block" align="left" style="visibility: hidden; height: 0;">
    <input type="text" id="locale" name="locale" text="eng" value = "eng">eng
</td>

During Penetration testing they were able to alert some random message to the user by injecting a alert script in the value attribute of the tag as follows

</script><script>alert(1);</script><script>

What should be done to avoid this? Is there any simple solution which does not involve paid 3rd party paid library?

Improve this question

1 Answer 1

Reset to default
1

There's actually a good 3rd party lib that takes care of sanitation pretty easily, called OWASP.

I first heard about it at JFokus 2014, from WhiteHat Security Jim Manico, in his speech about JAVA Security.

Check it out: here

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the answer. But I do not want a JAVA security framework for now. I want jsp xss validation/prevention framework

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.