Skip repetitive navigation links.
United States Department of AgricultureFarm Services AgencySystem Development Life Cycle (SDLC)
Go to SDLC Home Go to SDLC Home Go to About SDLC Go to News Go to Help Go to Contact Us
Search FSA
Go To Advanced Search
Go To Search Tips
FSA Enterprise Architecture
Go to EA Overview
Go to Enterprise Architecture Program
Go to Enterprise Architecture
Go to FSA Infrastructure
FSA SDLC
Go to SDLC Overview
Go to Background
Go to Development Process
Go to Quick Start Guide
Go to FSA Quality Assurance & Control Process
Go to Project Management Process
Go to Configuration and Change Management
Mainframe & System 36 SDLC
Browse by Subject
Go to Developer Tools Overview
Go to Architectural Decisions/Waivers
Go to FSA Assets and Shared Services
Go to Approved Software
Go to Templates and Documents
Go to Information Bulletins & Memos
Browse by Subject
Go to Learning Overview
Go to Training Schedule

You are here:  SDLC Home / Development Process / Detailed Design / Application Security / Cross Site Scripting
Development Process

Cross Site Scripting

 

 
A Cross Site Scripting attack attempts to echo back a malicious script in the HTML returned from a trusted site. Since the script is echoed back from a trusted site, it runs in the context of that site. This kind of attack can be prevented by ensuring all output to HTML stream is encoded. This prevents other forms of injection attacks such as HTML Injection and Java Script Injection. The simplest way of achieving this is to build JSP pages using only tags, eliminating the use of scriplets ("<%....%>") and expressions ("<%=...%>"). All new JSP pages should be built in this manner leveraging JSTL and the expression language.

 
Vulnerability Example: Scriplet usage with no HTML encoding
<% Customer cust = (Customer) session.getAttribute("customer"); %>
<%= cust.firstName() %>

 
Secure Example: JSTL handles HTML encoding (Tutorial)
<c:out value="${customer.firstName}" />

 
It may not be practical to modify all existing JSP pages. In this case, the output of all expressions will need to be manually HTML encoded. This can be done via utility classes such as the escapeHTML methods on the StringEscapeUtils class within the Jakarta Commons Lang package.

 
Secure Example: Manual HTML Encoding
<% Customer cust = (Customer) session.getAttribute("customer"); %>
<%= StringEscapeUtils.escapeHtml( cust.firstName() ) %>


Last Modified: 12/12/08 11:22:41 AM


SDLC Home | FSA Home | USDA.gov | Common Questions | Site Map | Policies and Links
FOIA | Accessibility Statement | Privacy Policy | Nondiscrimination Statement | Information Quality | USA.gov | White House