1

How to prevent xss attack from this tag in my website: <%=request.getParameter("errorMsg")%> as this is rendering user input via url in error page above code snippet is present in a error.jsp file.

Improve this question

1 Answer 1

Reset to default
1

Replace the JSP expression

<%= request.getParameter("errorMsg") %>

with the JSTL tag c:out as

<c:out value="${param.errorMsg}" />

This will prevent cross-site scripting attacks by escaping any <html> markup injected in the request parameter through replacement of special characters, like <, >, with their equivalent HTML entities &lt;, &gt;, etc.

Make sure to add the JSTL core tag library to your error.jsp using the taglib directive as

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

Edit: (in response to OP's comment)

Your code has a bug, it will throw a NullPointerException because encodedValue is null.

Replace it with the static method URLEncoder.encode(request.getParameter("errorMsg"), "UTF-8") instead. Then make sure ErrorHTTPSession.jsp too uses the c:out tag to print this errorMsg and you should be good then.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Ravi K Thapliyal, there is this code part also present on the same JSP file <%if (dctmAccessorObj.getCurrentSession() == null) { System.out.println("Inside IF Session"); java.net.URLEncoder encodedValue = null; response.sendRedirect("/ErrorHTTPSession.jsp?errorMsg=" + encodedValue.encode(request.getParameter("errorMsg")));%>. Should any change require in this also?
Ravi K Thapliyal thanks, it really helped.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.