Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Doubt in EL part of JSP 2.0 specification

 
vijayakumar vivekanandan
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was skimming thro the JSP 2.0 specification's EL part (page 1-65).
I cannot understand the "to help prevent cross-site scripting attacks" part of the following lines.


"The semantics of an EL expression are the same as with Java expressions: the
value is computed and inserted into the current output. In cases where escaping is
desired (for example, to help prevent cross-site scripting attacks), the JSTL core
tag <c ut> can be used.
"


How cross site scripting attacks occur if we use expressions and how it is prevented in EL?


Advanced thanks.
 
Gabriel Forro
Ranch Hand
Posts: 59
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

imagine You have a request attribute:


if You use:

, there will be a javascript block on the client side.

But if You use:


the text will be text and not javascript code. Thanks to the escaping.
So the answer is, that cross-site scripting attack is not prevented in EL. You can use the

tag to prevent it.

[ December 13, 2004: Message edited by: Gabriel Forro ]

[ December 13, 2004: Message edited by: Gabriel Forro ]
[ December 13, 2004: Message edited by: Gabriel Forro ]
 
vijayakumar vivekanandan
Greenhorn
Posts: 21
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Gabry. That was a crystal clear illustration. Is there any material elaborating on such possible attacks. This will help me make my codes secure.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic