- In: Computing | Security
- Leave a Comment
Some of the good sites explaining Cross-Site Scripting:
- Preventing XSS Attack
- XSS Protect, a project hosted on Google code.
- For the entire Spring MVC app , you can specify the escaping in the web.xml:
<context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param>
But then the escaping applies only to the
spring
tags , like :<form:input path="formField" htmlEscape="true" />
- Manual testing for XSS
- A good test string is
>'>"><img src=x onerror=alert(0)>
. - If your application doesn’t correctly escape this string, you will see an alert and will know that something went wrong.
- Wherever your application handles user-supplied URLs, enter
javascript:alert(0)
ordata:text/html,alert(0)
.
- A good test string is