How to remove this XSS from JSP?

Question

I have an input tag defined in my JSP as :

<input type="text" name="transCurrency" maxlength="10" size="10" value="<%=beanUseVec.getValue("transCurrency")%>" />

The corresponding function getValue() is defined in beanUseVec.java as :

public String getValue(String vectK)
{
    if(uEnVec != null && uEnVec.containsKey(vectK))
    return (String)uEnVec.get(vectK);
    else
    return "";
}

When I did a veracode scan for my files, I found XSS error being shown in the line :

<input type="text" name="transCurrency" maxlength="10" size="10" value="<%=beanUseVec.getValue("transCurrency")%>" />

It points out that <%=beanUseVec.getValue("transCurrency")%> is a XSS risk. Normally for other XSS risks in JSP, I use jstl c:out tag, which I think cannot be used here, since getValue() is not a POJO function, it's just a function which returns a string and c:out needs a variable of the POJO function to be called .

Can someone suggest any other way to get rid of this XSS issue ?

vjy vjy · Accepted Answer · 2013-06-05T11:17:36

You could save the output to a request variable and display it using c:out tag

<%
String output = beanUseVec.getValue("transCurrency");
request.setAttribute("output",output);
%>

<input type="text" name="transCurrency" maxlength="10" size="10" value="<c:out value='${output}'/>"/>

How to remove this XSS from JSP?

1 Answers