I'm looking for set of good practices to secure html form handle

Question

In my web app the input from html forms goes to a database and then to html (like forums or comments).

I want to know how should I secure my web app? Which characters (html tags) should I remove from the textarea?

My web app is in Spring MVC, but rules may be more general.

possible duplicate of [Libs for HTML sanitizing](http://stackoverflow.com/questions/1947021/libs-for-html-sanitizing) — Pekka, Dec 30 '10 at 16:35
I hope the duplicate is useful (I'm not familiar with Java and Spring.) If it isn't, please say so. Unless it's for learning, this is definitely a job for a library - the number of things that need to be sanitized is large — Pekka, Dec 30 '10 at 16:35

score 0 · Answer 1 · answered Dec 30 '10 at 16:49

0

If you use

<c:out value="text" />

core tag it will escape characters and they won't be interpreted as html code. It has an attribute called escapeXml which can be true or false to escape characters, but it is true by default.

answered Dec 30 '10 at 16:49

Javi

19,387
30
102
135

I'm looking for set of good practices to secure html form handle

1 Answers1