Spring Misconfiguration: HTML Escaping disabled - Vulnerability Database

Spring Misconfiguration: HTML Escaping disabled

Description

This Spring web application is configured to disable the automatic HTML escaping for Spring tags which may lead to Cross-Site Scripting vulnerabilities.

Remediation

It's recommended to enable HTML escaping for Spring tags. This can be configured from web.xml like in the example below: <pre> <web-app> ... <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> ... </web-app> </pre> At page level, it is defined as a tag-declaration. <pre> <spring:htmlEscape defaultHtmlEscape="true" /> </pre>

References

Class HtmlEscapeTag

Related Vulnerabilities

Severity

Medium

Classification

CWE-16

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N