13.7.1 Option 1: HTML Escaping

Perform the following XSS checks for the customized JSP file to protect it from possible XSS attacks. For more information about XSS prevention techniques, see XSS (Cross Site Scripting) Prevention Cheat Sheet.

Perform the following steps:

  1. Verify if the org.apache.commons.lang.StringEscapeUtils class is available in the JSP file.

    For information about how to open and modify a file, see Modifying Configurations.

    For example, the following import statement should be available in the import section of the JSP file:

    <%@ page import="org.apache.commons.lang.StringEscapeUtils"%>

  2. Verify if all URL query parameter values are sanitized.

    The following code snippet sample shows how URL query parameter values (uname and target) can be sanitized:

    <%//Fetch the values from URL query parametersString target = (String) request.getAttribute("target");String uname = (String) request.getAttribute("username"); String sanitizedUName = ""; if (uname != null){//Sanitize the value assigned to uname sanitizedUName = StringEscapeUtils.escapeHtml(uname); } String sanitizedTarget = ""; if (target != null){ //Sanitize the value assigned to target query param sanitizedTarget = StringEscapeUtils.escapeHtml(target);}%>

  3. Add double quotes (สบสบ) in value attribute (or any attribute that is dynamically assigned) for any HTML element that get assigned with above URL query param value.

    <!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="text" class="smalltext" name="Ecom_User_ID" size="30" value="<%=sanitizedUName%>">......<!-- The last 2 double quotes are mandatory to prevent XSS attacks --><input type="hidden" name="target" value="<%=sanitizedTarget%>">