Form security by replacing '>', '<' characters

i create a web form with JSP, and for preventing attacks I do the following:

input.replace("<", "somethin开发者_如何学JAVAg else");
input.replace(">", "something else");

so a user cannot add HTML or other tags inside a form.

Is this enough to prevent attacks of this kind(Insertions of HTML or other tags inside my website)??

Thanks you JH. G.

---

In short, no. I recommend that you should checkout the ESAPI project for this. They have built in tools to HTML encode requests and responses as to prevent XSS attacks.

---

This is not entirely the right way. It's not only incomplete as ', " and & also needs to be escaped, but you should actually be using JSTL <c:out> or fn:escapeXml() to escape HTML/XML entities in the view side.

E.g.

<c:out value="${bean.value}" />
<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />

See also:

• XSS prevention in JSP/Servlet web application