Java 5 HTML escaping To Prevent XSS

Question

I\'m looking into some XSS prevention in my Java application.

I currently have custom built routines that will escape any HTML stored in the database for safe displa

Answer 1

You normally escape XSS during display, not during store. In JSP you can use the JSTL (just drop jstl-1.2.jar in /WEB-INF/lib) tag or fn:escapeXml function for this. E.g.

">

or

That's it. If you do it during processing the input and/or storing in DB as well, then it's all spread over the business code and/or in the database. You should not do that, it's only maintenance trouble and you will risk double-escapes or more when you do it at different places (e.g. & would become & instead of & so that the enduser would literally see & instead of & in view. The code and DB are not sensitive for XSS. Only the view is. You should then escape it only right there.

Update: you've posted 4 topics about the same subject:

• Cross Site Scripting - Hidden Form Fields
• HttpServletRequest - Quick way to encode url and hidden field paramaters
• HttpServletRequest - SetParameter
• This one.

I will only warn you: you do not need to escape it in servlet/filter/javacode/database/whatever. You're only unnecessarily overcomplicating things. Just escape it during display. That's all.