When I set defaultHtmlEscape to true in web.xml, the values set in all input fields get escaped.
But when they are submitted, the values are not escaped.
So, is it true that this parameter is only for outputting, and does not include the submission of parameters (and so, if I want to store xss-safe values in the database, I should do something else)
To understand how Spring Web MVC works, you'll implement a simple application with a login page. To show the login page, create a @Controller-annotated class InternalController with a GET mapping for the context root. To process a user login, create another method that handles POST requests with login data.
Description. defaultHtmlEscape. true. true. Set the default value for HTML escaping, to be put into the current PageContext.
Default HTML escape setting for input fields is already true, so that true means the behaviour you get by default.
Moreover, I guess if you want to store xss-safe values in the database you need to set it to false in order to avoid double escaping.
So, you need something different to achieve escaping on input, perhaps a filter. Though I don't think that input escaping is a good idea, consistent output escaping looks more reliable, and doesn't create problems with processing data in the database.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With