I have a simple jsp that has 3 inputs (name, id and email) and a form submit. From doing some reading ,it looks like my input values should be encoded.How can I do this? Can anyone provide an example For eg
<td><input id="email" name="email" value=""/></td>
<td><input id="fullname" name="fullname" value=""/></td>
<td><input id="userId" name="userId" value=""/></td>
<input type ="submit" value ="Get User" />
How should the email, fullname and uerId be encoded? Also I have seen example as follows:
String safeOutput = ESAPI.encoder().encodeForHTML( Comment)
Should the encoding be done both to the HTML and to the java code? I would appreciate some tips,as I am confused about this. Thanks
Basically if someone puts any HTML in any of your parameters and you then display those on your site, their HTML will be parsed by the browser. They could use this to screw up your formatting, i.e. leave a B tag unclosed, or they could put in a script tag pointing to a script on another site.
The two most basic ways to protect against it are:
Those will work if you want to disallow all HTML. But if you want to allow the user to input some HTML, like safe tags (B, I, EM, STRONG), then you need a library that removes all HTML tags not on a whitelist.