Spring Misconfiguration: HTML Escaping disabled
Description
This Spring web application has disabled automatic HTML escaping for Spring JSP tags. When HTML escaping is disabled, user-supplied data rendered through Spring tags will not be automatically sanitized, allowing potentially malicious HTML and JavaScript code to be executed in users' browsers. This configuration weakness creates conditions that enable Cross-Site Scripting (XSS) attacks.
Remediation
Enable automatic HTML escaping for Spring tags to ensure user-supplied data is properly sanitized before rendering. This protection should be configured at the application level in your web.xml deployment descriptor:
<web-app>
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
</web-app>
Alternatively, you can enable HTML escaping at the individual JSP page level using the Spring tag:
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %> <spring:htmlEscape defaultHtmlEscape="true" />After enabling HTML escaping, thoroughly test your application to ensure that legitimate HTML content intended for rendering is handled appropriately. For cases where you need to render trusted HTML content, use explicit mechanisms rather than disabling escaping globally.