I'm working on an application with Struts 1 and JSP. I have to write XSS protection. I have inputs like this one :
<input id="name" name="name" class="someClass" type="text"
value="<bean:write name="personForm" property="name"/>">
I read that for protection XSS attack i have to add attribute filter in bean:write and filter should be true. So my code looks like that now
<input id="name" name="name" class="someClass" type="text"
value="<bean:write name="personForm" property="name" filter="true"/>">
But still I'm able to submit scripts. Do you know why this might happen.
bean:write is only for rendering purposes.The value passed to the server side is not get filtered.