Spring XSS Protection Disabled

Spring HTML escaping disabled.

Cross-Site Scripting (XSS) is a significant security threat that occurs when applications include user input in web pages without proper validation or escaping, allowing attackers to insert malicious scripts.

In Spring MVC applications, misconfiguration or the absence of proper XSS protection can leave an application vulnerable.

A typical vulnerability scenario involves the improper handling of input received from web requests and presented back to users without escaping. Applications must configure view resolvers and other components to escape outputs properly.

To effectively address XSS vulnerabilities in Spring MVC, Set the defaultHtmlEscape Context Parameter. This configuration ensures that by default, all model attributes in views are HTML-escaped, preventing script execution.

Setting the defaultHtmlEscape to true provides a global setting that applies consistent HTML escaping across all views in your application, reducing the risk of XSS attacks by default.