Issue with StringEscapeUtils call and JSP form submit value

Question

I am passing some param with value from my JSP file and before that I am using Apache StringEscapeUtils to avoid any XSS attack script execution using param value

for example, if somebody inserting value like this and gain access

Cross script test is currently failing when something like this is passed as value

site_locale=en_US%2F%3E%3Ciframe+src%3Djavascript%3Aalert%28116%29+

Blind SQL Injection test is currently failing when something like this is passed

isMgr=true%27+and+%27f%27%3D%27f%27%29+--+

My question here is whether StringEscapeUtils.escapeHtml will save from above type of param value passed or do i need any other library

I also wanted to confirm if the way I am calling StringEscapeUtils in JSP is correct or not

<input type="hidden" name="site_locale" value= <%= StringEscapeUtils.escapeHtml(site_locale) %> >

Appreciate any pointers here

Thanks

Sireesh Yarlagadda · Answer 1 · 2014-05-08T20:15:46.210

0

Try this.

Utility class for HTML form encoding

URLEncoder.encode(yoururlhere, "UTF-8")

Similar way, we have

java.net.URLDecoder.decode(yoururlhere, "UTF-8");

edited May 08 '14 at 20:15

answered May 08 '14 at 20:03

Sireesh Yarlagadda

12,978
3
74
76

Issue with StringEscapeUtils call and JSP form submit value

1 Answers1