Spring MVC defaultHtmlEscape: ¿funciona al entrar o salir?

Cuando me puse defaultHtmlEscape a true in web.xml, the values set in all input fields get escaped.

But when they are submitted, the values are not escaped.

So, is it true that this parameter is only for outputting, and does not include the submission of parameters (and so, if I want to store xss-safe values in the database, I should do something else)

preguntado el 02 de febrero de 12 a las 10:02

2 Respuestas

Default HTML escape setting for input fields is already true, De modo que true means the behaviour you get by default.

Moreover, I guess if you want to store xss-safe values in the database you need to set it to false in order to avoid double escaping.

So, you need something different to achieve escaping on input, perhaps a filter. Though I don't think that input escaping is a good idea, consistent output escaping looks more reliable, and doesn't create problems with processing data in the database.

Respondido 02 Feb 12, 15:02

@axtact why don't you think that input escaping is a good idea? - Ithar

@Ithar Some reasons that come to my mind are: a/ because you could insert invalid characters in a many ways, and as a result you would have to perform a consistent check everywhere you have inputs. b/ Also, in some cases somebody could for example have access to the db and add an invalid expression there. In that case, since db input is not checked for xss, you would have a potential vulnerability. - Smalis Sklavos

I think that to escape form input, once should do:

<form:input path="someProperty" htmlEscape="true" />

Respondido 02 Feb 12, 15:02

doesn't this simply override the value set in web.xml? And isn't there a generic way (set for the whole application) - Bozho

La defaultHmtlEscape should have high precedence as it's mostly used by your Spring context, (e.g. RequestContext). As for response, I don't really know. - Buhake Sindi

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.