Joshua MN Joshua MN - 8 months ago 105
Java Question

Escape all strings in JSP/Spring MVC

I display strings in my JSP this way:


this string may, of course, contain special html characters. Currently it is possible to HTML-inject malicious code (eg. if someString is a javascript include -
<script src...>

How can I make sure that all strings are escaped before printing?

I am using Spring MVC and JSP.


You can use JSTL core :

<%@ taglib prefix="c" uri="" %>

Use <c:out value="${someString}"/> tag to display Strings. <c:out> escapes HTML characters so that you can avoid cross-site scripting, you can specify that by setting the attribute escapeXml=true. Another advantage is that you can also provide a default value in case the value evaluates to null.

You can also use fn:escapeXml() EL function. You need to include JSTL functions for that .

<%@ taglib prefix="fn" uri="" %>

Another possible way , will be build a custom ELResolver.

Enables customization of variable and property resolution behavior for EL expression evaluation.

This blog provides a working example of how it can be done.

For the entire Spring MVC app , you can specify the escaping in the web.xml:


But then the escaping applies only to the spring tags , like :

<form:input path="formField" htmlEscape="true" />

Lastly , you can try the third-party library XSSFilter.