1

enter image description here

This is one of my field in one of my jsp file:

<input class="form-input" id="login" type="text" name="login"
  <c:choose>
    <c:when test="${action == 'edit' && userToEdit != null}">value="${userToEdit.login}"</c:when>
    <c:when test="${userFromForm != null}">value="${userFromForm.login}"</c:when>
    <c:otherwise>value=""</c:otherwise>
  </c:choose>
<c:if test="${action == 'edit'}">readonly="readonly"</c:if>>

At adding a user the login name is writeable and not protected against XSS attack. Could I escape userToEdit.login and userFromForm.login somehow? As far as I know, basically I could use c:out for this purpose or fn:escapeXml() (with a variable, for example). For the latter I tried something like this:

<c:set var="loginValue" value="${userToEdit.login}"/>
<c:set var="loginValueForm" value="${userFromForm.login}"/>

Inside choose:

<c:when test="${action == 'edit' && userToEdit != null}">value="${fn:escapeXml(loginValue)}"</c:when>
<c:when test="${userFromForm != null}">value="${fn:escapeXml(loginValueForm)}"</c:when>

In case of c:out I tried something like this

<c:choose>
  <c:when test="${action == 'edit' && userToEdit != null}">value="<c:out value="${userToEdit.login}"/>"</c:when>
  <c:when test="${userFromForm != null}">value="<c:out value="${userFromForm.login}"/>"</c:when>
  <c:otherwise>value=""</c:otherwise>
</c:choose>

or something like this:

<c:choose>
  <c:when test="${action == 'edit' && userToEdit != null}">value=<c:out value="${userToEdit.login}"/></c:when>
  <c:when test="${userFromForm != null}">value=<c:out value="${userFromForm.login}"/></c:when>
  <c:otherwise>value=""</c:otherwise>
</c:choose>

None of them worked. If I put a login name like <script>alert("test")</script> then the script run without any problem. I tried some other possibilities but I didn't find the right syntax (if the problem is with the syntax). I do something very wrongly.

Update: solved. Possibly I was just dumb as I had to handle this problem somewhere else. When I put that script then it will goes a page where users are listed. Users are listed with the help of a custom tag and a java class belonging to it. So in the other jsp there are these parts:

<%@ taglib prefix="custom" uri="mytags.tld" %>

and

<custom:userList />

userList uses UserList.java (extends TagSupport) and I had to prevent XSS attack there. There I used this:

Apache Commons Text and StringEscapeUtils.escapeHtml4 from it.

Improve this question
6
  • What does the final HTML look like when you use fn:escapeXml()? Like, when you examine the DOM, what's there?
    – Pointy
    Commented Jul 4 at 19:55
  • Sorry, I don't understand the question, I'm a very beginner. Inside my jstI there is a form using POST, and inside that login is one of my textfield. When I tried to use fn:, it seemed like the one in this question, it was changed at when parts as it is written in the question above. Somewhere before this part the 2 variable were defined as I wrote it in the question above. Apologies if my wording confusing. I added a screenshot about the problematic part.
    – DoWhileFor
    Commented Jul 4 at 20:59
  • 1
    Solved. I put my solution to the bottom of the question. I can't tell whether it could be useful to anybody. But maybe. I just leave it here for now. Please delete it if it shouldn't be here or let me know that I should delete it.
    – DoWhileFor
    Commented Jul 4 at 22:56
  • 1
    Next time post a minimal reproducible example so people better understand what you were actually doing.
    – BalusC
    Commented Jul 5 at 10:31
  • 1
    Also solutions should be posted as answers rather than part of the question 👍🏻
    – Dave Newton
    Commented Jul 5 at 12:19

1 Answer 1

Reset to default
1

You just confuse XSS with escaping HTML output. If you use <c:out> or ${fn.escapeXml()} then it prevents XSS to be rendered. The tags and EL expressions are executed on the server. It doesn't execute immediately when you input <script> tag into the input field of the form. But it's sent to the server for rendering.

You can use any escape utils to escape the html tags, js code, and xml from outputting to the response.

For further reading see Cross Site Scripting (XSS).

Improve this answer
1
  • That was actually answered, OP wanted to prevent XSS, but didn't debug a code to see where the script is popped up.
    – Roman C
    Commented Jul 5 at 12:10

Not the answer you're looking for? Browse other questions tagged or ask your own question.