Spring MVC defaultHtmlEscape - does it work on the way or not?

Question

Spring MVC defaultHtmlEscape - does it work on the way or not?

When I set defaultHtmlEscape to true in web.xml, the values set in all input fields will be escaped.

But when they are sent, the values are not escaped.

So, is it true that this parameter is intended only for output and does not include a representation of the parameters (and therefore, if I want to store xss-safe values in the database, I have to do something else)

+8

java spring spring-mvc

Bozho Feb 02 '12 at 10:55

source share

2 answers

I think that to exit the input of the form you need to do the following:

 <form:input path="someProperty" htmlEscape="true" />

+1

Buhake sindi Feb 02 '12 at 11:02

source share

axtavt · Accepted Answer · 2012-02-02T11:16:00+0000

The default HTML output settings for input fields are already true , so true means the behavior you get by default.

Moreover, I think that if you want to keep xss-safe values in the database, you need to set it to false to avoid double escaping.

So, you need something else to get an input, possibly a filter. Although I do not think that output shielding is a good idea, sequential output shielding looks more reliable and does not cause problems with processing data in the database.

Spring MVC defaultHtmlEscape - does it work on the way or not?

More articles: