jsp - How to prevent JavaScript injection (XSS) when JSTL escapeXml is false

Question

I have a form that people can add their stuff. However, in that form, if they enter JavaScript instead of only text, they can easily inject whatever they want to do. In order to prevent it, I can set escapeXml to true, but then normal HTML would be escaped as well.

<td><c:out value="${item.textValue}" escapeXml="true" /></td>

Is there any other way to prevent JavaScript injection rather than setting this to true?

Answer 1

I'd recommend using Jsoup for this. Here's an extract of relevance from its site.

Sanitize untrusted HTML

Problem

You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.

Solution

Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.

String unsafe = 
      "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
      // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

So, all you basically need to do is the the following during processing the submitted text:

String text = request.getParameter("text");
String safe = Jsoup.clean(text, Whitelist.basic());
// Persist 'safe' in DB instead.

Jsoup offers more advantages than that as well. See also Pros and Cons of HTML parsers in Java.