I am trying to resolve a cross site scripting exception in my code. I'm getting an XSS error at line where I was using JSP expression inside a JS c开发者_开发问答ode
ex: inside a JS function
function ex(){
.....
var loc = '<%= location.getLocDetails()>';
.....
}
Please let me know, if you have any solution/workaround?
Note:location.getLocDetails()
returns a StringThere's only means of XSS risks if location.getLocDetails()
can return user-controlled input. If it for example returns the value straight from the HTTP Accept-Language
header without any syntax checking or escaping, then there's indeed means of XSS risks.
You should always escape user-controlled input during display, at least every input which can to a certain degree be controlled by the client, including HTTP request headers and request URL's. It is basically is fairly simple, just use a display tool which escapes HTML entities <
, >
, "
and '
.
In case of JSP, easiest way is to use JSTL (just drop jstl-1.2.jar in /WEB-INF/lib
if not done yet) <c:out>
tag for this. Thus the particular line should be replaced by (assuming that location
is already available in page, request, session or application scope):
var loc = '<c:out value="${location.locDetails}" />';
That said, it's right high time to get rid of all scriptlets in your JSP file, it would only make it better :) To learn more about JSTL, read this.
精彩评论