[WEB SECURITY] HTMLEncoding in textarea in java

mike mike9966 at rediffmail.com
Tue Sep 9 11:18:48 EDT 2008


I have an instance where user supplied data initially stored in the database and later displayed back in the <textarea> field to the browser. 

When i try to encode the value using server.encodeHTML, still the script is executing in the browser leading to XSS. 

To give an instance,

<bc:textarea name="userdata" id="userdata" (this,255);"'>${addEditConfigurationForm.userdata}</bc:textarea>

kindly let me know how to implement encoding in the instance to mitigate XSS.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080909/ec1fa28b/attachment.html>

More information about the websecurity mailing list