We help IT Professionals succeed at work.
Get Started

preventing XSS in a spring mvc application

Rohit Bajaj
Rohit Bajaj asked
Last Modified: 2020-04-13
I have a spring mvc application. In the initial page i load the following jsp :
	<!DOCTYPE html>
		<title>Create Snippet</title>

    <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1">

    <script src="resources/lib/jquery/dist/jquery.js"></script>
    <script src="resources/lib/codemirror/lib/codemirror.js" type="text/javascript" charset="utf-8"></script>
    <script src="resources/lib/codemirror/addon/selection/active-line.js" type="text/javascript" charset="utf-8"></script>
    <script src="resources/lib/codemirror/mode/loadmode.js"></script>
    <script src="resources/lib/codemirror/mode/meta.js"></script>
    <script src="resources/lib/codemirror/mode/python/python.js" type="text/javascript" charset="utf-8"></script>
    <link rel="stylesheet" href="resources/lib/codemirror/lib/codemirror.css" />
    <link rel="stylesheet" href="resources/css/new.css"/>

    <div id="container">
      <div class="dialogWidget">
        <div class="dijitDialogTitleBar">
          <div class="dijitDialogTitle">Create Snippet</div>
        <div class="dijitDialogPaneContent">
          <input id="name" type="text" class="title" placeholder="Title (optional)" />
          <div class="form-group">
            <select id="mode" class="form-control">
              <option value="" disabled selected style='display:none;'>Code Type</option>
              <option id="text/apl" > APL</option>
              <option id="application/pgp" > PGP</option>
              <option id="text/x-ttcn-asn" > ASN.1</option>
              <option id="text/x-asterisk" > Asterisk</option>
              <option id="text/x-csrc" > C</option>
              <option id="text/x-c++src" > C++</option>
              <option id="text/x-cobol" > Cobol</option>
              <option id="text/x-csharp" > C#</option>
              <option id="text/x-clojure" > Clojure</option>
              <option id="text/x-cmake" > CMake</option>
              <option id="text/x-coffeescript" > CoffeeScript</option>
              <option id="text/x-common-lisp" > Common Lisp</option>
              <option id="application/x-cypher-query" > Cypher</option>
              <option id="text/x-cython" > Cython</option>
              <option id="text/css" > CSS</option>
              <option id="text/x-cassandra" > CQL</option>
              <option id="text/x-d" > D</option>
              <option id="application/dart" > Dart</option>
              <option id="text/x-diff" > diff</option>
              <option id="text/x-django" > Django</option>
              <option id="text/x-dockerfile" > Dockerfile</option>
              <option id="application/xml-dtd" > DTD</option>
              <option id="text/x-dylan" > Dylan</option>
              <option id="text/x-ebnf" > EBNF</option>
              <option id="text/x-ecl" > ECL</option>
              <option id="text/x-eiffel" > Eiffel</option>
              <option id="application/x-ejs" > Embedded Javascript</option>
              <option id="application/x-erb" > Embedded Ruby</option>
              <option id="text/x-erlang" > Erlang</option>
              <option id="text/x-forth" > Forth</option>
              <option id="text/x-fortran" > Fortran</option>
              <option id="text/x-fsharp" > F#</option>
              <option id="text/x-gas" > Gas</option>
              <option id="text/x-feature" > Gherkin</option>
              <option id="text/x-gfm" > GitHub Flavored Markdown</option>
              <option id="text/x-go" > Go</option>
              <option id="text/x-groovy" > Groovy</option>
              <option id="text/x-haml" > HAML</option>
              <option id="text/x-haskell" > Haskell</option>
              <option id="text/x-haxe" > Haxe</option>
              <option id="text/x-hxml" > HXML</option>
              <option id="application/x-aspx" > ASP.NET</option>
              <option id="text/html" > HTML</option>
              <option id="message/http" > HTTP</option>
              <option id="text/x-idl" > IDL</option>
              <option id="text/x-jade" > Jade</option>
              <option id="text/x-java" > Java</option>
              <option id="application/x-jsp" > Java Server Pages</option>
              <option id="text/javascript" > JavaScript</option>
              <option id="application/json" > JSON</option>
              <option id="application/ld+json" > JSON-LD</option>
              <option id="text/x-julia" > Julia</option>
              <option id="text/x-kotlin" > Kotlin</option>
              <option id="text/x-less" > LESS</option>
              <option id="text/x-livescript" > LiveScript</option>
              <option id="text/x-lua" > Lua</option>
              <option id="text/x-markdown" > Markdown</option>
              <option id="text/mirc" > mIRC</option>
              <option id="text/x-mariadb" > MariaDB SQL</option>
              <option id="text/x-mathematica" > Mathematica</option>
              <option id="text/x-modelica" > Modelica</option>
              <option id="text/x-mumps" > MUMPS</option>
              <option id="text/x-mssql" > MS SQL</option>
              <option id="text/x-mysql" > MySQL</option>
              <option id="text/x-nginx-conf" > Nginx</option>
              <option id="text/n-triples" > NTriples</option>
              <option id="text/x-objectivec" > Objective C</option>
              <option id="text/x-ocaml" > OCaml</option>
              <option id="text/x-octave" > Octave</option>
              <option id="text/x-pascal" > Pascal</option>
              <option id="text/x-perl" > Perl</option>
              <option id="application/x-httpd-php" > PHP</option>
              <option id="text/x-pig" > Pig</option>
              <option id="text/plain" > Plain Text</option>
              <option id="text/x-plsql" > PLSQL</option>
              <option id="text/x-properties" > Properties files</option>
              <option id="text/x-python" > Python</option>
              <option id="text/x-puppet" > Puppet</option>
              <option id="text/x-q" > Q</option>
              <option id="text/x-rsrc" > R</option>
              <option id="text/x-rst" > reStructuredText</option>
              <option id="text/x-rpm-changes" > RPM Changes</option>
              <option id="text/x-rpm-spec" > RPM Spec</option>
              <option id="text/x-ruby" > Ruby</option>
              <option id="text/x-rustsrc" > Rust</option>
              <option id="text/x-sass" > Sass</option>
              <option id="text/x-scala" > Scala</option>
              <option id="text/x-scheme" > Scheme</option>
              <option id="text/x-scss" > SCSS</option>
              <option id="text/x-sh" > Shell</option>
              <option id="application/sieve" > Sieve</option>
              <option id="text/x-slim" > Slim</option>
              <option id="text/x-stsrc" > Smalltalk</option>
              <option id="text/x-smarty" > Smarty</option>
              <option id="text/x-solr" > Solr</option>
              <option id="text/x-soy" > Soy</option>
              <option id="application/sparql-query" > SPARQL</option>
              <option id="text/x-spreadsheet" > Spreadsheet</option>
              <option id="text/x-sql" > SQL</option>
              <option id="text/x-mariadb" > MariaDB</option>
              <option id="text/x-stex" > sTeX</option>
              <option id="text/x-latex" > LaTeX</option>
              <option id="text/x-systemverilog" > SystemVerilog</option>
              <option id="text/x-tcl" > Tcl</option>
              <option id="text/x-textile" > Textile</option>
              <option id="text/x-tiddlywiki" > TiddlyWiki </option>
              <option id="text/tiki" > Tiki wiki</option>
              <option id="text/x-toml" > TOML</option>
              <option id="text/x-tornado" > Tornado</option>
              <option id="troff" > troff</option>
              <option id="text/x-ttcn" > TTCN</option>
              <option id="text/x-ttcn-cfg" > TTCN_CFG</option>
              <option id="text/turtle" > Turtle</option>
              <option id="application/typescript" > TypeScript</option>
              <option id="text/x-twig" > Twig</option>
              <option id="text/x-vb" > VB.NET</option>
              <option id="text/vbscript" > VBScript</option>
              <option id="text/velocity" > Velocity</option>
              <option id="text/x-verilog" > Verilog</option>
              <option id="application/xml" > XML</option>
              <option id="application/xquery" > XQuery</option>
              <option id="text/x-yaml" > YAML</option>
              <option id="text/x-z80" > Z80</option>

			  <div id="editor-pane">
				<div id="editor"></div>
			  <div class="message_area">
					<textarea id="message" type="text" placeholder="Add Comment (Optional)" ></textarea>
			  <div class="buttons">
				  <button id="submit" class="btn_green">Create & Post</button>
				  <button class="dailogueCancel" id="cancel">Cancel</button>
		<div class="invisible" data-create-url="${createURL}"></div>

    <script src="resources/js/flockback.js" type="text/javascript"></script>
    <script src="resources/js/detect.js" type="text/javascript"></script>
    <script src="resources/js/new.js" type="text/javascript"></script>


Open in new window

This is bascially an editor in which i can type a title and text
If it type <script>alert(10)</script> in the title field the script gets executed.
I want to avoid this.
I tried adding the following to the web.xml :

Open in new window

But it didnt work. Probably because this only works with forms.

Please guide Is there any way which spring provides so that i dont need to handle this manually ?
Watch Question
Top Expert 2015
This problem has been solved!
Unlock 1 Answer and 9 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE