Veracode issue in JSP

Question

I am getting veracode issue in the below line

<input type = "hidden" name = "studentName" value = "<%=viewBean.getStudName()%>">

The issue is on <%=viewBean.getStudName()%> Here, the issue reported is "Improper Neutralization of Script-Related HTML tags in a web page(Basic XSS). I have tried the fix given in cwe.mitre.org but I could not apply it properly. Can anyone help on this how to overcome the issue?

Answer 1

use

<c:out value=${viewBean.studName}/>

instead it escapes XML

Answer 2

As per CWE,

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

You need to escape html, can be done if you use jstl tags as @jigar suggested.

Some info on SO about to fix the error ,

1. Veracode - Improper Neutralization of Script-Related HTML tags in a Web Page (Basic XSS)
2. How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?

Answer 3

<input type = "hidden" name = "studentName" value = "<%=StringEscapeUtils.escapeHtml(viewBean.getStudName())%>">

Used like this. Its working now as adviced by @Jigar Joshi and @ San Krish

Answer 4

Include below jstl taglib in jsp

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>

and use

value="${fn:escapeXml(viewBean.getStudName())}"

If using JSTL core <c:out/>, you can use escapeXml="true" to avoid XSS.

Answer 5

you need to use html encoding while printing the value . so it is giving error . so it should be encoded as value = "<%=ESAPI.encoder().encodeForHtml(viewBean.getStudName())%>">

you need to import org.owasp.esapi.ESAPI and org.owasp.esapi.Encoder.

This will surely resovlve issues ..