Fixing Cross-site Scripting in Spring MVC

Posted on May 1, 2012July 12, 2019 by Yash

In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.

Add to the web.xml file to apply the filter globaly:

        <context-param>
            <param-name>defaultHtmlEscape</param-name>
            <param-value>true</param-value>
        </context-param>

At page level, it is defined as a tag-declaration. The code is:

<spring:htmlEscape defaultHtmlEscape="true" />

About Yash

3 thoughts on “Fixing Cross-site Scripting in Spring MVC”

Pingback: How to Fix Cross-site Scripting Vulnerabilities : Secure Coding Blog
manish mahadik says:

March 30, 2015 at 6:15 pm

need to fix

Reply
mohammad says:

August 12, 2018 at 9:29 am

how to set java config for the filter globaly?

Reply

Leave a Reply Cancel reply