53 lines
1.6 KiB
Plaintext
53 lines
1.6 KiB
Plaintext
=== How to fix it in JSP
|
|
|
|
The following code is vulnerable to cross-site scripting because JSP does not auto-escape variables.
|
|
|
|
User input embedded in HTML code should be HTML-encoded to prevent the injection of additional code. This can be done with the https://owasp.org/www-project-java-encoder/[OWASP Java Encoder] or similar libraries.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,html,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
<%@page contentType="text/html" pageEncoding="UTF-8"%>
|
|
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
|
|
<!doctype html>
|
|
<html>
|
|
<body>
|
|
<h1>${param.title}</h1> <!-- Noncompliant -->
|
|
</body>
|
|
</html>
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,html,diff-id=1,diff-type=compliant]
|
|
----
|
|
<%@page contentType="text/html" pageEncoding="UTF-8"%>
|
|
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
|
|
<!doctype html>
|
|
<html>
|
|
<body>
|
|
<h1>${e:forHtml(param.title)}</h1>
|
|
</body>
|
|
</html>
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
Template engines are used by web applications to build HTML content. Template files contain static HTML as well as template language instruction. These instructions allow, for example, to insert dynamic values into the document as the template is rendered.
|
|
|
|
include::../../common/fix/data_encoding.adoc[]
|
|
|
|
`org.owasp.encoder.Encode.forHtml` is the recommended method to encode HTML entities.
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/content-types.adoc[]
|
|
|
|
include::../../common/pitfalls/validation.adoc[]
|
|
|
|
=== Going the extra mile
|
|
|
|
include::../../common/extra-mile/csp.adoc[]
|
|
|