Mitigating XSS

4bdca24c · Matija Obreza · 9bd483f5 · 4bdca24c · 4bdca24c · 4bdca24c
Commit 4bdca24c authored Jun 07, 2016 by Matija Obreza
4 changed files
--- a/src/main/webapp/WEB-INF/jsp/user/edit.jsp
+++ b/src/main/webapp/WEB-INF/jsp/user/edit.jsp
 <!DOCTYPE html>

 <%@include file="/WEB-INF/jsp/init.jsp"%>
+<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>

 <html>
 <head>
@@ -15,13 +16,13 @@
 		<div class="form-group">
 			<label for="name" class="col-lg-2 control-label"><spring:message code="registration.full-name" /></label>
 			<div class="col-lg-3">
-				<input type="text" id="name" name="name" class="span3 form-control" value="${user.name}" />
+				<form:input id="name" name="name" class="span3 form-control" path="user.name" />
 			</div>
 		</div>
 		<div class="form-group">
 			<label for="email" class="col-lg-2 control-label"><spring:message code="registration.email" /></label>
 			<div class="col-lg-3">
-				<input type="text" id="email" name="email" class="span3 form-control" value="${user.email}" />
+				<form:input id="email" name="email" class="span3 form-control" path="user.email" />
 			</div>
 		</div>


--- a/src/main/webapp/WEB-INF/jsp/user/index.jsp
+++ b/src/main/webapp/WEB-INF/jsp/user/index.jsp
@@ -21,8 +21,8 @@
 		<c:forEach items="${pagedData.content}" var="user" varStatus="status">
 			<tr class="clearfix ${status.count % 2 == 0 ? 'even' : 'odd'}">
 				<td><c:if test="${not user.systemAccount}"><a href="<c:url value="/profile/${user.uuid}" />"><c:out value="${user.name}" /></a></c:if></td>
-				<td>${user.uuid}</td>
-				<td>${user.email}</td>
+				<td><c:out value="${user.uuid}" /></td>
+				<td><c:out value="${user.email}" /></td>
 				<td>
 					<c:if test="${user.systemAccount}">SYSTEM</c:if>
 					<c:if test="${not user.enabled}">DISABLED</c:if>

--- a/src/main/webapp/WEB-INF/jsp/user/profile.jsp
+++ b/src/main/webapp/WEB-INF/jsp/user/profile.jsp
@@ -16,13 +16,13 @@
 	<div class="form-horizontal">
 		<div class="form-group">
 			<label for="password" class="col-lg-2 control-label"><spring:message code="user.full-name" /></label>
-			<div class="col-lg-5">${user.name}</div>
+			<div class="col-lg-5"><c:out value="${user.name}" /></div>
 		</div>

 		<security:authorize access="hasRole('ADMINISTRATOR') || (isAuthenticated() && principal.user.id == #user.id)">
 			<div class="form-group">
 				<label for="password" class="col-lg-2 control-label"><spring:message code="user.email" /></label>
-				<div class="col-lg-5">${user.email}</div>
+				<div class="col-lg-5"><c:out value="${user.email}" /></div>
 			</div>

 			<div class="form-group">

--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -26,16 +26,18 @@
        <!--<param-value>classpath:spring/application-context.xml</param-value>-->
    <!--</context-param>-->

-    <context-param>
-        <param-name>contextClass</param-name>
-        <param-value>
-            org.springframework.web.context.support.AnnotationConfigWebApplicationContext
-        </param-value>
-    </context-param>
-    <context-param>
-        <param-name>contextConfigLocation</param-name>
-        <param-value>org.genesys2.spring.config.ApplicationConfig</param-value>
-    </context-param>
+	<context-param>
+		<param-name>contextClass</param-name>
+		<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
+	</context-param>
+	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>org.genesys2.spring.config.ApplicationConfig</param-value>
+	</context-param>
+	<context-param>
+		<param-name>defaultHtmlEscape</param-name>
+		<param-value>true</param-value>
+	</context-param>

 	<listener>
 	    <listener-class>com.hazelcast.web.SessionListener</listener-class>