Cross-Site Scripting (XSS)

Overview

XSS allows attacker-controlled script to run in another user’s browser.

Reflected XSS returns injected script immediately, while stored XSS persists malicious content on the server.

Encode output by context, validate input, avoid unsafe DOM APIs, and apply security headers such as Content-Security-Policy.

<tr>
  <td colspan="2">${contents}</td>
</tr>

<tr>
     <td colspan="2"><c:out value="${contents}"/></td>
</tr>

String param = request.getParameter("Param");
param = param.replaceAll("<script>", "");
param = param.replaceAll("</script>", "");

<c:out value="${param}" escapeXml="false"></c:out>