CRITICAL
Rule Definition
Escaping HTML special characters protects against Cross-site Scripting (XSS) attacks.
Remediation
Enable HTML escaping for Spring tags.
Violation Code Sample
# Sample 1 - configuration file web.xml
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>false</param-value>
</context-param>
# Sample 2 - Page level, as a tag-declaration in JSP page *.jsp
<spring:htmlEscape defaultHtmlEscape="false" />
# Sample 3 - Page level - source file *.java
HtmlEscapeTag htmlEscapeTag = new HtmlEscapeTag();
HtmlEscapeTag.setDefaultHtmlEscape(false);
Fixed Code Sample
# Remediation sample 1 - configuration file web.xml
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
# Remediation sample 2 - Page level, as a - JSP page *.jsp
<spring:htmlEscape defaultHtmlEscape="true" />
# Remediation sample 3 - Page level in source file *.java
HtmlEscapeTag htmlEscapeTag = new HtmlEscapeTag();
HtmlEscapeTag.setDefaultHtmlEscape(true);
Reference
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
https://cwe.mitre.org/data/definitions/79.html
Cross Site Scripting Prevention Cheat Sheet - Cross Site Scripting Prevention Cheat Sheet
§ Output Encoding for “HTML Contexts”
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-html-contexts
Spring Framework class org.springframework.web.servlet.tags.HtmlEscapeTag
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/tags/HtmlEscapeTag.html
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.