Summary
Acunetix 360 detected that the Spring web application is configured to disable the automatic HTML escaping for Spring tags which may lead to Cross-Site Scripting vulnerabilities.
Impact
Disabling the automatic HTML escaping for Spring tags may lead to Cross-Site Scripting vulnerabilities.
Actions To Take
It's recommended to enable HTML escaping for Spring tags. This can be configured from web.xml like in the example below:
<web-app>
...
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
...
</web-app>
At page level, it is defined as a tag-declaration.
<spring:htmlEscape defaultHtmlEscape="true" />