Say I'm in a Spring environment and I have an URL http://ift.tt/23Y9f4B
In the controller, I have code like,
mav.addObject("name", request.getParameter("name"));
And in the JSP file, it is rendered like
<div><c:out value="${name}" /></div>
My question is,
- If a malicious user appends a bad string, for example, a short script in the URL, like
http://ift.tt/20WNLmv bad script},<c:out>will protect me, is my understanding correct? - What if I cannot use
<c:out>? Say, the parameter is "alice&bob",<c:out>will turn it to "alice%26bob", which is not what I want. How can I protect myself in this case?
Aucun commentaire:
Enregistrer un commentaire