My Work - Tech Mastery: Java, Kubernetes, Spring Boot, AWS, CICD, BTC, and ETH Insights

Enhancing your expertise in Java, Kubernetes, Spring Boot, AWS, BTC, and ETH can significantly elevate your career prospects in the ever-evolving tech industry. Welcome to my blog, where I share insights and resources to help you master these key technologies and stay ahead of the curve. Enhance your tech skills with insights on Java, Kubernetes, Spring Boot, AWS, BTC, and ETH. Master advanced topics and stay updated with practical tips and tutorials!

Monday, October 17, 2011

XSS Summary

For Stripes: -

1. Stripes will HTML escape all input tag values. This behavior bypass PopulationStrategy.
2. LocalizableError *fieldValue* will be escaped.
3. SimpleError will *not* be escaped.
4. SimpleMessage and LocalizableMessage will *not* be escaped.

For JSTL: -
1. will escape by default
2. ${..} will *not* escape
3. ${fn:escapeXml(...)} will call escapeXml function to escape the content.

Therefore: -

1. Always use to render output; don't use ${}
2. If you must use ${somevalue}, use ${fn:escapeXml(somevalue)}
3. All args that contain user input String value passed to MessageDisplay or ValidationErrors must be SafeHtmlUtil.HTMLEntityEncode(arg[n]).

XSS Prevention

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

My Work - Tech Mastery: Java, Kubernetes, Spring Boot, AWS, CICD, BTC, and ETH Insights

Monday, October 17, 2011

XSS Summary

No comments:

About Me