Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes JSP and the fly likes Avoid Cross site scripting in Jsp Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Avoid Cross site scripting in Jsp" Watch "Avoid Cross site scripting in Jsp" New topic
Author

Avoid Cross site scripting in Jsp

jami siva
Ranch Hand

Joined: Oct 16, 2009
Posts: 60
How to avoid Cross site scripting in Jsp.
Currently I am using scriptlet code to display any error messages.
Below is the code :
<%
out.println (error.getMessage() );
%>

How do make this statement to avoid Cross Site Scripting.

Thank you guys
Siva
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41042
    
  43
In which way do you think this code is vulnerable to XSS attacks? Is the string returned by getMessage generated from user input?


Ping & DNS - my free Android networking tools app
jami siva
Ranch Hand

Joined: Oct 16, 2009
Posts: 60
No, this getMessage is generated from server.
Even i don't know that is the only code to attack Cross site scripting, If so, How to write code in jsp to avoid things means Cross site scripting.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41042
    
  43
Start reading here: http://www.coderanch.com/how-to/java/SecurityFaq#web-apps
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30057
    
149

If you use cut instead of a scriptlet, it will escape the special characters for you.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
 
subject: Avoid Cross site scripting in Jsp
 
Similar Threads
Doubt in EL part of JSP 2.0 specification
How to prevent cross site cripting parameter manipulation attacks in jsp?
Cross-site scripting attacks
cross site script
how to avoid cross-site scripting