CRSF token and spring

http://seamframework.org/Documentation/CrossSiteScripting

<h:outputText value="#{param.name}" escape="false"/>  <!-- DON'T DO THIS! XSS SECURITY HOLE! -->

but do this:

<h:outputText value="#{myBean.myTextContent}" escape="false"/>  <!-- Content contains &entity; and is already safe! -->

Like this:

Be the first to like this post.

This entry was written by muthu, posted on April 19, 2010 at 3:57 pm, filed under Uncategorized and tagged cross side scripting, CSRF, spring, Xss attack on spring. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

theTechLog

CRSF token and spring

Like this:

Leave a Reply Cancel reply

Pages

Categories

Archives

Search

Blogroll

RSS Feeds

Meta

Follow “theTechLog”