如何修复 JSP 表达式标签中的跨站点脚本 (XSS)

Question

I am not sure how to fix cross site scripting (persistent) for scriptlet tags in Jsp's For example

<%=value%> "/> I am also attaching a image that has scriptlet examples i am not sure how to fix those, please help me in fixing by proving some fixes enter image description here

Answer 1

you can control by your framework configuration. in Spring Security Framework use following code( https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#headers-xss-protection ):

Some browsers have built in support for filtering out reflected XSS attacks. This is by no means foolproof, but does assist in XSS protection.

The filtering is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected. For example, the filter might try to change the content in the least invasive way to still render everything. At times, this type of replacement can become a XSS vulnerability in itself. Instead, it is best to block the content rather than attempt to fix it. To do this we can add the following header:

X-XSS-Protection: 1; mode=block

This header is included by default. However, we can customize it if we wanted. For example:

<http>
    <!-- ... -->

    <headers>
        <xss-protection block="false"/>
    </headers>
</http>

Similarly, you can customize XSS protection within Java Configuration with the following:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        // ...
        .headers()
            .xssProtection()
                .block(false);
    }
    }