i have situation here: have page using <c:out> show data db, in content has special characters registered trademark .i using java, jsp, jstl in code. registered trademark symbol displayed :
®
the imports perfect :
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> <%@ page contenttype="text/html; charset=utf-8" pageencoding="utf-8" %> if print using code below, displays correct registration mark, thing that, causes security violation.
<c:out escapexml="false" value="${prname}"/> i using veracode scan code, since have given here : escapexml="false", veracode points out vulnerability .
so when remove escapexml, displays :
<span class="sup">®</span> kindly suggest me way out of problem ? appreciated .
because allow tags in page treated vulnerability.
instead of writing
<span class="sup">®</span> you write
<script>alert("alert");</script> which persistent xss.
try refactor code not include tags inside value database. else sure value database sanitized.
Comments
Post a Comment