Description

This Spring web application is configured to disable the automatic HTML escaping for Spring tags which may lead to Cross-Site Scripting vulnerabilities.

Remediation

It's recommended to enable HTML escaping for Spring tags. This can be configured from web.xml like in the example below:


    ...
	
		defaultHtmlEscape
		true
    
    ...

At page level, it is defined as a tag-declaration.
  

References

Related Vulnerabilities