Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo

Spring Misconfiguration: HTML Escaping disabled

Severity: Medium
Summary#

Invicti detected that the Spring web application is configured to disable the automatic HTML escaping for Spring tags which may lead to Cross-Site Scripting vulnerabilities.

Impact#

Disabling the automatic HTML escaping for Spring tags may lead to Cross-Site Scripting vulnerabilities.

Actions To Take#

It's recommended to enable HTML escaping for Spring tags. This can be configured from web.xml like in the example below:

<web-app>
    ...
 <context-param>
  <param-name>defaultHtmlEscape</param-name>
  <param-value>true</param-value>
    </context-param>
    ...
</web-app>

At page level, it is defined as a tag-declaration.

  <spring:htmlEscape defaultHtmlEscape="true" />
Classifications#
, , ,

Select Category

OR

Search Vulnerability

Related Vulnerabilities

Related Articles

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works