File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes Avoid Cross site scripting in Jsp Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "Avoid Cross site scripting in Jsp" Watch "Avoid Cross site scripting in Jsp" New topic
Author

Avoid Cross site scripting in Jsp

jami siva
Ranch Hand

Joined: Oct 16, 2009
Posts: 63
How to avoid Cross site scripting in Jsp.
Currently I am using scriptlet code to display any error messages.
Below is the code :
<%
out.println (error.getMessage() );
%>

How do make this statement to avoid Cross Site Scripting.

Thank you guys
Siva
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41835
    
  63
In which way do you think this code is vulnerable to XSS attacks? Is the string returned by getMessage generated from user input?


Ping & DNS - my free Android networking tools app
jami siva
Ranch Hand

Joined: Oct 16, 2009
Posts: 63
No, this getMessage is generated from server.
Even i don't know that is the only code to attack Cross site scripting, If so, How to write code in jsp to avoid things means Cross site scripting.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41835
    
  63
Start reading here: http://www.coderanch.com/how-to/java/SecurityFaq#web-apps
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30516
    
150

If you use cut instead of a scriptlet, it will escape the special characters for you.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Avoid Cross site scripting in Jsp