|
I use addError(...) to reflect messages to user - including user input
if user input is something like <script>alert('hi');</script> - JS is being executed.
old:
<c:out value="${msg}" escapeXml="false"/>
I suggest:
<c:out value="${msg}" escapeXml="true"/>
same goes with errors. -> ${error}
|
User information for <strong>{0}</strong> has been added successfully.
Oh well, XSS is more important I suppose.