0

Am using JSF 1.2. I want to display a message to User which reads like this

"Please click here to login with your new password."

Code in my xhtml page,

<h:outputFormat value="#{msg.resetBackToLogin}" escape="false"></h:outputFormat>

And below is the code from my Property file.

Please <a href="http://myDomain/"> click here </a> to login with your new password.

Since, it contains special characters, am using h:outputFormat with escape=false. I felt, using h:commandLink and calling a bean method and redirecting there will simply add overhead.

As am using h:outputFormat with escape=false, this will lead to XSS attack. How can I prevent this if am sticking to h:outputFormat?

Vikas V
  • 3,176
  • 2
  • 37
  • 60
  • How does this lead to XSS? You are displaying a trusted string containing a trusted html fragment. Or did I misunderstand? – Erlend Nov 09 '12 at 06:42
  • @Erlend Please check these links [Link1](http://seamframework.org/Documentation/CrossSiteScripting). This talks in specific to Seam. This [Link2](http://java.dzone.com/articles/securing-your-jsf-pages) talks in general. And this [Link3](http://stackoverflow.com/questions/9972870/jsf-2-0-escape-false-alternative-to-prevent-xss) talks about "Safe source" and non-editable text which I didn't exactly understood what Safe source was meant to be. So, am under the impression that my above code could lead to XSS. Hope am clear. – Vikas V Nov 09 '12 at 07:53

0 Answers0