How do I prevent people from doing XSS in Spring MVC?

In Spring you can escape the html from JSP pages generated by <form> tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways: For the entire application in the web.xml file: <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> For all forms on a given page in the file itself: <spring:htmlEscape … Read more