Spring cross site scripting XSS issues solution

XSS (Cross-site Scripting) is one of the most common vulnerabilities with a web-application. And, it can be exploited by hackers very easily without using any sophisticated tool.

How does it work?
Most web-applications have forms (text-box etc.) to receive input-data from user. So, a web-application may have a input-text-field to get 'user-id'. The hacker may enter anything in it including "JavaScript". If the hacker enters JavaScript (a malicious code), the server may process it, and then return it. In this case, user-id is not authenticated and it is sent as it is on the error page.

If the user's input data is returned as it is, the java-script code may execute. And, hacker wins!!

I am posting solution for Spring… 

In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.

  • At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:

         <context-param>
            <param-name>defaultHtmlEscape</param-name>
            <param-value>true</param-value>
        </context-param>

  • At page level, it is defined as a tag-declaration. The code is:

          Any form-tag, after the above declaration uses html-escape-sequence-encoding.

          <spring:htmlEscape defaultHtmlEscape="true" />

  • Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :

          <form:input path="name" htmlEscape="true" />

           Depending upon requirement, it can be implemented as global, page or tag level.

I hope this information helps. Please do post your comments 🙂

How To: Read web/META-INF/MANIFEST.MF in Web Application

Hi All, 

As you all know In web application inside web directory there is a META-INF directory. Inside which we have MANIFEST.MF that holds version information. I have to read the MANIFEST.MF from this directrory. Need the manifest info for the purpose of build info and have to show in footer of each page. It's easy to read it in case of JAR file and while searching on net I got mostly examples on jar,classpath related Manifest. But my requirement was to read web/META-INF/MANIFEST.MF file.

So I am posting here what I done:

Inside web application then using the ServletContext.getResourceAsStream
method should work and same I used.

// for a Servlet, you can get the ServletContext like this
 ServletContext aContext = getServletConfig().getServletContext();
 InputStream inputStream = aContext.getResourceAsStream("/META-INF/MANIFEST.MF");

In Spring application do following inside controller:

//Build Info
ServletContext aContext= getServletContext();
InputStream fis =aContext.getResourceAsStream("/META-INF/MANIFEST.MF");

Hope this helps you 🙂 . Do post your comments