[Esapi-user] XSS prevention

Uma Venkatakrishnan uma at akhilainfo.co.in
Mon Aug 21 09:34:25 UTC 2017

Hi All,

I have a general query on xss prevention. To avoid xss attacks, I assume
that whenever we have an input field in a jsp, we should escape it and show
it to the user. i.e. all user enterable fields in a jsp should be escaped
using any of the tag library functions. When we do that, the user sees the
input filed value with escape sequences if he has entered any special
characters. My user community says that this is ambiguous to the user.

For instance , I have
<form:input id="name" type="text" name="name" path="name"
value="${fn:escapeXml(myBean.name)}" autocomplete="off"/>

whenever user enters 'Mr & Mrs. Mathew' in the above field, it gets
converted to 'Mr & Mrs Mathew' in the screen. This happens when an
action button is clicked. My users are expecting to see only 'Mr & Mrs.
Mathew' as they typed in. Is this expected or am I going wrong in the usage
of xss prevention functions?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20170821/346e0f40/attachment.html>

More information about the Esapi-user mailing list