Spring MVC : How to Protect Application from CSRF and XSS

Question

What is the best way to protect our Spring MVC application from CSRF and XSS.

Is there native Spring MVC support for this?

Answer 1

In Spring:

Forms ( globally):

<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>

Forms ( locally):

<spring:htmlEscape defaultHtmlEscape="true" />

Answer 2

You can use Spring Security 3.2.0.RELEASE and enable csrf support with this configuration

<http>
    <!-- ... -->
    <csrf />
</http>

Answer 3

Here is a blog about it.

http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html

another one.

http://web.securityinnovation.com/appsec-weekly/blog/bid/79007/How-to-Prevent-Cross-Site-Request-Forgery-CSRF-in-SpringMVC

For token generation esapi can be used. https://code.google.com/p/owasp-esapi-java/