Is it possible to make XSS attacks through html comments with JSP code inside?
Is it true that following code adds a XSS vulnerability to some JSP page?
HTML comment style. The JSP parser won't parse them, but it removes them from the output. Thus you won't see them in the generated HTML output.The XSS risk is here because you're not escaping user-controlled input here. Request parameters are fully controllable by endsers. The enduser may for instance pass
-->
- 热议问题