Spring Misconfiguration: HTML Escaping disabled

Summary

Acunetix 360 detected that the Spring web application is configured to disable the automatic HTML escaping for Spring tags which may lead to Cross-Site Scripting vulnerabilities.

Impact

Disabling the automatic HTML escaping for Spring tags may lead to Cross-Site Scripting vulnerabilities.

Actions To Take

It's recommended to enable HTML escaping for Spring tags. This can be configured from web.xml like in the example below:

<web-app>
    ...
 <context-param>
  <param-name>defaultHtmlEscape</param-name>
  <param-value>true</param-value>
    </context-param>
    ...
</web-app>

At page level, it is defined as a tag-declaration.

  <spring:htmlEscape defaultHtmlEscape="true" />

Severity

Medium

Classification

CWE-16 OWASP 2013-A5 OWASP 2017-A6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N