\[code\]xml.append("<alertDesc>"); xml.append(desc); xml.append("</alertDesc>");response.getWriter().write(xml.toString()); response.setContentType("text/xml"); response.setHeader("Cache-Control", "no-cache");\[/code\]i have this piece of code which generate an xml and send to the jsp through ajax to get the data in the 'desc' field to show on the ui. this is been reported to vulnerable to xss attack. so i use ESAPI from OWASP the method ESAPI.encoder().encodeForXML(desc) to escape the desc field, so that the attack been nullified. i have done this after been suggested and after doing some r&d on xss cheat sheet. now i want to know that is it the proper solution to the xss attack or anything more needed to be done as i cant test it for the xss attack and the fixes are for the client reviews of the code please give any suggestionsalso i am using spring mvc. will the xml or html escape be useful in this case?
xss attack in xml— ESAPI.encoder().encodeForXML() is useful?
- Thread starter AndiJ
- Start date