Spring Misconfiguration: HTML Escaping disabled
Severity:
Medium
Summary
Invicti detected that the Spring web application is configured to disable the automatic HTML escaping for Spring tags which may lead to Cross-Site Scripting vulnerabilities.
Impact
Disabling the automatic HTML escaping for Spring tags may lead to Cross-Site Scripting vulnerabilities.
Remediation
Required Skills for Successful Exploitation
Actions To Take
It's recommended to enable HTML escaping for Spring tags. This can be configured from web.xml like in the example below:
<web-app>
...
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
...
</web-app>
At page level, it is defined as a tag-declaration.
<spring:htmlEscape defaultHtmlEscape="true" />
Classifications
Vulnerability Index
You can search and find all vulnerabilities
Select Category
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Featured resources
Build your resistance to threats. And save hundreds of hours each month.
