Question
I have a situation here:
I have a page which is using <c:out> to show data from DB, in which the content has some special characters as Registered Trademark .I am using java, jsp, jstl in my code.
The registered trademark symbol is displayed as :
®
The imports are exactly perfect like :
https://stackoverflow.com/questions/17651510
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
If I print using the code below, it displays the correct registration mark, but the thing is that, it causes security violation.
<c:out escapeXml="false" value="${prName}"/>
I am using veracode to scan my code, since i have given here : escapeXml="false", veracode points out that this is a vulnerability .
So when I remove the escapeXml, it displays as it is like :
<span class="sup">®</span>
Kindly suggest me a way out of this problem ? Any help is deeply appreciated .
Solution
Because you allow tags in your page it is treated as vulnerability.
Instead of writing
<span class="sup">®</span>
you could write
<script>alert("Alert");</script>
which would be a persistent XSS.
Try to refactor your code to not include any tags inside your value from the database. Else be sure that the value from the database is sanitized.
