3

I am supporting a legacy application that uses JSF (and JSP). I am doing my best to prevent XSS by adding validators and escapes to the code as necessary. I'm new to JSF.

Code Example (in xhtml):

<h:form id="someForm">
<f:param name="someProperty" value="#{someBean.someProperty}"/>
</h:form>

My Issue Our security scanner is saying this is vulnerable to XSS Reflection. I'd like to add an escape to the property value.

My Research: I've read JSF typically automatically escapes everything in . It has a parameter you must set to fales in order to disable this. However it seems does not have this functionality. I found a suggested code snippet that might work:

<f:param name="someProperty" value="#{fn:escapeXml(someBean.someProperty)}"/>

However when I use fn:escapeXml the page fails to load. How is this typically solved?

Note, this is a critical legacy app. Least evasive action is desired.

Aforementioned article: JSF 2.0; escape="false" alternative to prevent XSS?

Community
  • 1
  • 1
MrZii
  • 31
  • 4
  • what is the error message? – Maciej Kowalski Jan 20 '17 at 16:42
  • Browser error is not useful: Failed to open http://localhost:8080/someFile.jsf I was able to get this out of the console in debug mode: Caused by: javax.el.ELException: Function 'fn:escapeXml' not found – MrZii Jan 20 '17 at 17:00

1 Answers1

0

Well this is embarrassing. Turns out one for my xhtml files was missing the required import: xmlns:fn="http://java.sun.com/jsp/jstl/functions"

I added it in and it appears to work now!

MrZii
  • 31
  • 4