Form security by replacing '>', '<' characters

i create a web form with JSP, and for preventing attacks I do the following:

input.replace("<", "somethin开发者_如何学JAVAg else");
input.replace(">", "something else");

so a user cannot add HTML or other tags inside a form.

Is this enough to prevent attacks of this kind(Insertions of HTML or other tags inside my website)??

Thanks you JH. G.

In short, no. I recommend that you should checkout the ESAPI project for this. They have built in tools to HTML encode requests and responses as to prevent XSS attacks.

This is not entirely the right way. It's not only incomplete as ', " and & also needs to be escaped, but you should actually be using JSTL <c:out> or fn:escapeXml() to escape HTML/XML entities in the view side.

E.g.

<c:out value="${bean.value}" />
<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />

See also:

• XSS prevention in JSP/Servlet web application