StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POAlternative to using c:out to prevent XSS
primarykey
Id
4465583
data
AcceptedAnswerId
0
AnswerCount
3
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2010-12-16T21:34:17.817
FavoriteCount
5
LastActivityDate
2017-08-22T13:12:24.977
LastEditDate
2017-08-22T13:12:24.977
LastEditorUserId
3885376
OwnerUserId
476260
ParentId
0
PostTypeId
1
Score
8
ViewCount
10559
LastEditorDisplayName
text
Body
I'm working on preventing cross site scripting (XSS) in a Java, Spring based, Web application. I have already implemented a servlet filter similar to this example <a href="http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/" rel="nofollow noreferrer">http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/</a> which sanitizes all the input into the application. As an extra security measure I would like to also sanitize all output of the application in all JSPs. I have done some research to see how this could be done and found two complementary options. One of them is the use of Spring's <code>defaultHtmlEscape</code> attribute. This was very easy to implement (a few lines in web.xml), and it works great when your output is going through one of spring's tags (ie: message, or form tags). The other option I have found is to not directly use EL expressions such as <code>${...}</code> and instead use <code><c:out value="${...}" /></code> That second approach works perfectly, however due to the size of the application I am working on (200+ JSP files). It is a very cumbersome task to have to replace all inappropriate uses of EL expressions with the <code>c:out</code> tag. Also it would become a cumbersome task in the future to make sure all developers stick to this convention of using the <code>c:out</code> tag (not to mention, how much more unreadable the code would be). Is there alternative way to escape the output of EL expressions that would require fewer code modifications?
Tags
<security><spring><jsp><xss><jstl>
Title
Alternative to using c:out to prevent XSS
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USggreiner
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POAlternative to using c:out to prevent XSS
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POAlternative to using c:out to prevent XSS
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POAlternative to using c:out to prevent XSS
 UserUserId
 USRoland Illig
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.