Is it possible to make XSS attacks through html comments with JSP code inside?

Posted by Dmitriy Matveev on Stack Overflow See other posts from Stack Overflow or by Dmitriy Matveev
Published on 2010-05-06T09:22:31Z Indexed on 2010/05/06 9:28 UTC
Read the original article Hit count: 282

Filed under:

jsp

|

html

|

security

Hello! Is it true that following code adds a XSS vulnerability to some JPS page?

<!--    <%=paramName%>=<%=request.getParameter(paramName)%><BR>  -->

It looks like a "leftover debug" and definitely should be removed from the code, but how dangerous is it?

© Stack Overflow or respective owner

Related posts about jsp

Passing Textbox values from one JSP to another JSP

as seen on Stack Overflow - Search for 'Stack Overflow'
hi all. I want to pass a textbox value from source JSP file to the destination JSP file on a href click event withour using javascripts. can anyone help me out in this? i tried using the following method but iam getting error like "End tag is required" <a href="/destinationFile.jsp?sDate=<%='+txtDate… >>> More
passing valus to one jsp page to another jsp page

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm retrieving values from database to table in jsp.(to a column) I want to insert that value into another table in database. To do that i'm using another jsp table to insert that value in db and i call that jsp page in my previous jsp's page form action tab. I use request.getParameter() method… >>> More
Uploading a zip file to a jsp and extract the content in another jsp

as seen on Stack Overflow - Search for 'Stack Overflow'
I want to upload a zip file in a jsp page and the user is sent to another jsp page after he selects and uploads the file. In this second page I want to 1.)extract the uploaded zip file. 2.)read some content from the extracted file(s) and allow the user to change/edit them 3.)save the user changes… >>> More
Java (JSP/Servlet): equivalent of getServletContext() from inside a .jsp

as seen on Stack Overflow - Search for 'Stack Overflow'
How should I access the ServletContext from a .jsp? For example, how can I call the getRealPath method from inside a .jsp. Here's a Servlet, which works fine: protected void doGet( HttpServletRequest req, HttpServletResponse resp ) throws ServletException, IOException… >>> More
Java (JSP): repeating the contentType header in a "sub-jsp"

as seen on Stack Overflow - Search for 'Stack Overflow'
What happens when headers are repeated in a .jsp you include in another .jsp? For example if example.jsp starts with this: <?xml version="1.0" encoding="UTF-8"?> <jsp:root version="2.0" xmlns:jsp="http://java.sun.com/JSP/Page"> <jsp:directive.page contentType="text/html; charset=UTF-8"… >>> More

Related posts about html

Install usblib package - Ubuntu

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I need the package libusb for another package I am installing. I tried the following which seemed to install the package, sudo apt-get install libusb-dev but when I try to install the other package I get, configure: error: Package requirements (libusb-1.0 >= 0.9.1) were not met: No package… >>> More
Prevent malicious vulnerability scan increasing load on a server

as seen on Server Fault - Search for 'Server Fault'
Hi all, this week we have been suffering some malicious vulnerability scans to our servers, increasing the load on them, making them nearly unusable. The attack is easy to defend, just blocking the offending ip, but only after discovering it. Is there any form of prevent it? Is it normal that… >>> More
can't install psycopg2 in my env on mac os x lion

as seen on Server Fault - Search for 'Server Fault'
I tried install psycopg2 via pip in my virtual env, but got this error: ld: library not found for -lpq (full log here: http://pastebin.com/XdmGyJ4u ) I tried install postgres 9.1 from .dmg and via port, (gksks)iMac-Alexander:~ lorddaedra$ locate libpq /Developer/SDKs/MacOSX10.7.sdk/usr/include/libpq /Developer/SDKs/MacOSX10… >>> More
Bitnami redmine error SVN

as seen on Server Fault - Search for 'Server Fault'
I'm installing the Bitnami Redmine stack (redmine + subversion). Firstly I install configure and test it locally (Ubuntu 14.04 LTS). And everything is OK. I install Bitnami stack on server (Red Hat 4.4.7-4) and configure SVN. I commit files into SVN and connect project into Redmine with SVN repository… >>> More
Can the .htaccess file slow down a website to a crawl? If so, are there better ways to solve these problems with different rewrite rules and such?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
here is my htaccess file...... RewriteCond %{REQUEST_URI} ^/patients/billing/FAQ_billing\.html$ [OR] RewriteCond %{REQUEST_URI} ^/patients/billing/getintouch\.html$ RewriteRule ^patients/billing/(.*)\.html$ $1.php [L,NC] RewriteCond %{REQUEST_URI} ^/patients/findadoctor/a\.html$ [OR] RewriteCond… >>> More