Monday, January 2, 2012

Attempt to prevent XSS in JSP... failed

As every web developer should know, you have to escape untrusted output to prevent Cross-site scripting vulnerabilities. Most web frameworks do it by default, but not JSP. In JSP, you have to do it manually every time, either using <c:out>...</c:out> or ${fn:escapeXml(...)}. Needless to say, it is easy to forget (especially if you are used to modern framework) and it clutters the template.

It feels logical that this problem should have been solved somehow already, given that thousands of developers have been using JSP every day, for years. But I've found only one solution that looks promising: http://pukkaone.github.com/2011/01/03/jsp-cross-site-scripting-elresolver.html.

I've given it a try and found that it basically works as expected. And the most important, you can override the escaping where needed, by using the custom tag. But there are 2 problems that prevented me from using it:

  1. The effect of this resolver is global (as expected), so you must remove existing escaping from every JSP where you have it, and re-test the whole application
  2. If you use <jsp:include> with parameters (and I use it a lot), you must override escaping of the parameter values, to avoid double escaping
So, while the first problem is solvable (given the time and resources), the second makes the whole solution look doubtful. Instead of being careful to use escaping everywhere, now I need to be careful to override escaping on each <jsp:include>. And again, it creates a lot of clutter.