Fixing Cross-site Scripting in Spring MVC

Posted by on May 1, 2012 3 Comments

In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.

Add to the web.xml file to apply the filter globaly:

        <context-param>
            <param-name>defaultHtmlEscape</param-name>
            <param-value>true</param-value>
        </context-param>

At page level, it is defined as a tag-declaration. The code is:

<spring:htmlEscape defaultHtmlEscape="true" />