Program uses the SSM, jsp pages with format (produced the greatest cause XSS), which used a lot of expressions such as EL ${pageContext.request.contextPath}, taking root path ${param.xx}, taking the URL parameter.
When third-party evaluation of the use of a lot of this syntax page, it was broke a lot of XSS vulnerabilities.
Solution. C label use JSTL tag libraries to solve the problem of EL expressions easily injected XSS.
<!-- c标签输出的变量会自动转义特殊字符 -->
<c:out value="${param.xx}"/>
<c:out value="${pageContext.request.contextPath}"/>Project is the collaborative development of people, it is inevitable that someone will use different techniques to achieve some of the features, such as page rendering, I like to use vue, some people like to use jquery.
When rendering data vue, will automatically escape special characters, such as <script>alert(1)</script>being turned into <script>alert(1)</script>, attention, but not to escape vue property assignment, when the {{}} ,: value = " ", v-model to render the page will be escaped.
jquery assignment will not escape, resulting in xss.
There are a number of popular online methods, such as adding a XSS filter, receive parameters in the background doing the next escape.
See also: https://www.iteye.com/blog/bijian1013-2374277
If the data is not stored in the background escape, then at least to make an escape when the front-end output
See also: https://www.cnblogs.com/willingtolove/p/11059325.html