I am trying to protect my Spring MVC web application from cross-site scripting (XSS) attacks.
At first I thought I could just set defaultHtmlEscape to my web.xml and do it. But I found that it did not affect. As explained here - Spring or html to run App-Server does not work JAVA MVC , defaultHtmlEscape does not affect INPUTS. It only sanitizes OUTPUTS in c: out tags.
So, I decided that I would write a filter to intercept requests, check the parameters and sanitize them as needed. But, looking at how to write a filter, I came across this - XSS Filter on enctype = "multipart / form-data" forms . It contains comments suggesting that filtering input is bad ideas, and that I should stick to filtering output.
Several posts mention HDIV and other third-party security solutions, but I would prefer not to introduce a new third-party dependency for my project for something basic like disinfection.
But filtering output seems uncomfortable and error prone. All the developers who touched my web application expected to not use c: out for EVERY output value on EVERY JSP page? Will the global situation be better? What is the best practice here?
Thanks in advance for your advice.
source
share