What is XSS (Cross Site Scripting):
XSS (Cross-site Scripting) is one of the most common vulnerabilities with a web-application. And, it can be exploited by hackers very easily without using any sophisticated tool. Click here to know more about XSS.
How does it work?
Most web applications have forms to receive inputs from user. A form having text field can be exploited by a hacker.
submitted, the server does process it & returns. This is not the scenario we want to happen.
Suppose your form looks like this (using spring tags):
The hacker may input something like ” jeevanalert(“I won.”) ” in the text field. When the page is submitted, the page is returned with error as the user is not authenticated.
If the input-text is changed into the html-escape-sequences during processing on server, then browser will receive
the escape-sequences. The resultant text would not be a valid java-script and browser will not execute it.
After conversion into html-escape-sequences, the above code would look like:
Solution with Spring MVC In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options
to encode the html-escape-sequences on server side.
- At global level, it can be defined in
to this definition. The sample code is shown below:
file. This will be applicable to the entire application. All form-tags would refer
- At page level, it is defined as a tag-declaration. The code is: Any form-tag, after the above declaration uses html-escape-sequence-encoding.
- Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :
Depending upon the requirement, it can be implemented as global, page or tag level.
Another solution to the XSS issue is to filter all the textfields in the form at the time of submitting the form. It needs XML entry in the file & two simple classes.
The code for the first class namedis:
The code second class namedis:
The only thing remained is the XML entry in thefile:
We have fours approaches to prevent the XSS threat.
You have to choose the approach according to your need.