I am trying to add XSS prevention capabilities to my JSF/primefaces system. From reference http://www.ibm.com/developerworks/library/se-prevent/, the way I understand how it should be done is:
- Data is saved as is (i.e. decoded) in backend. For instance, "alert(/xss/)"
- When displayed as an output, web server (in jsf case, managed beans) will encode the characters. For instance, "<script>alert(/xss!/)</script>"
- Browser will download encoded script and convert it back to decoded way. For instance, "alert(/xss/)". To achieve this in JSF, I would need to set outputText attribute escape="false", otherwise it will escape the characters as that is the default behavior.
Apart from the bother of having to explicitly set escape="false" in all my widgets, this solution seems to work. However, the problem comes when instead of having outputText widgets reading from my beans, I have inputText, which will always keep the encoded string coming from the managed bean, and never decodes it back.
Any ideas how I can handle this?