I have a form that people can add their stuff. However, in that form,

Question

0

Asked: May 18, 20262026-05-18T05:31:18+00:00 2026-05-18T05:31:18+00:00

I have a form that people can add their stuff. However, in that form,

0

I have a form that people can add their stuff. However, in that form, if they enter JavaScript instead of only text, they can easily inject whatever they want to do. In order to prevent it, I can set escapeXml to true, but then normal HTML would be escaped as well.

<td><c:out value="${item.textValue}" escapeXml="true" /></td>

Is there any other way to prevent JavaScript injection rather than setting this to true?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-18T05:31:19+00:00

Editorial Team

2026-05-18T05:31:19+00:00Added an answer on May 18, 2026 at 5:31 am

You need to parse the HTML text on the server as XML, then throw out any tags and attributes that aren’t in a strict whitelist.
(And check the URLs in href and src attributes)

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a form that people can add their stuff. However, in that form,

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply