Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>You normally escape XSS during <strong>display</strong>, not during <strong>store</strong>. In JSP you can use the <a href="http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/" rel="nofollow noreferrer">JSTL</a> (just drop <a href="http://download.java.net/maven/1/jstl/jars/jstl-1.2.jar" rel="nofollow noreferrer">jstl-1.2.jar</a> in <code>/WEB-INF/lib</code>) <a href="http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/c/out.html" rel="nofollow noreferrer"><code>&lt;c:out&gt;</code></a> tag or <a href="http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/fn/escapeXml.fn.html" rel="nofollow noreferrer"><code>fn:escapeXml</code></a> function for this. E.g.</p> <pre><code>&lt;input name="foo" value="&lt;c:out value="${param.foo}" /&gt;"&gt; </code></pre> <p>or</p> <pre><code>&lt;input name="foo" value="${fn:escapeXml(param.foo)}"&gt; </code></pre> <p>That's it. If you do it during processing the input and/or storing in DB as well, then it's all spread over the business code and/or in the database. You should not do that, it's only maintenance trouble and you will risk double-escapes or more when you do it at different places (e.g. <code>&amp;</code> would become <code>&amp;amp;amp;</code> instead of <code>&amp;amp;</code> so that the enduser would literally see <code>&amp;amp;</code> instead of <code>&amp;</code> in view. The code and DB are not sensitive for XSS. Only the view is. You should then escape it only <em>right there</em>.</p> <p><strong>Update</strong>: you've posted 4 topics about the same subject:</p> <ul> <li><a href="https://stackoverflow.com/questions/2318291/cross-site-scripting-hidden-form-fields">Cross Site Scripting - Hidden Form Fields</a></li> <li><a href="https://stackoverflow.com/questions/2319313/httpservletrequest-quick-way-to-encode-url-and-hidden-field-paramaters">HttpServletRequest - Quick way to encode url and hidden field paramaters</a></li> <li><a href="https://stackoverflow.com/questions/2319638/httpservletrequest-setparameter">HttpServletRequest - SetParameter</a></li> <li>This one.</li> </ul> <p>I will only warn you: you do <strong>not</strong> need to escape it in servlet/filter/javacode/database/whatever. You're only unnecessarily overcomplicating things. Just escape it during display. That's all.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload