Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
When I set defaultHtmlEscape to true in web.xml, the values set in all input fields get escaped.
But when they are submitted, the values are not escaped.
So, is it true that this parameter is only for outputting, and does not include the submission of parameters (and so, if I want to store xss-safe values in the database, I should do something else)
Default HTML escape setting for input fields is already
true, so thattruemeans the behaviour you get by default.Moreover, I guess if you want to store xss-safe values in the database you need to set it to
falsein order to avoid double escaping.So, you need something different to achieve escaping on input, perhaps a filter. Though I don’t think that input escaping is a good idea, consistent output escaping looks more reliable, and doesn’t create problems with processing data in the database.