Thanks Tim for replying back .
I will go little furthur we we have done and what are the situations we are facing.
In webapp, at most places we have POST request ,and spring encryption for URL params/GET request.
Anyone can intercept HTTP request and change the data. But we are safe in case of bad data(bad characters) going to db because of server side filtering.
This is current security implementation and obviously not enough.
. data coming from db into a list and list is rendered on jsp page. Request is intercepted and data is modified and XSS added eg
; and that is rendered on jsp page.
i enter some input value - "xyz" on a form on jsp page and it is passed to next jsp page and rendered (through model attributes) and inbetter modified by intercepting hhtp request.Modified value is being rendered on 2nd jsp. It could contain <iframe> too.
How to protect from such cases?Is SSL a solution?Should we put validations on output data too?Is it right approach?