I have a form written in JSP and i want to sanitize user input using fn:escapeXml, this is part of my code:
<form:form commandName="userInquiryForm" id="form" method="post" class="form-horizontal" enctype="multipart/form-data" action="${editComplaint}">
<form:errors path="*" cssClass="alert alert-danger alert-error" element="div"/>
<%--Hold exisitng value--%>
<form:input type="hidden" path="bean.inquiryId" value="${fn:escapeXml(bean.inquiryId)}"/>
<form:input type="hidden" path="bean.createdDate" value="${fn:escapeXml(bean.createdDate)}"/>
<form:input type="hidden" path="bean.inquiryType" value="${fn:escapeXml(bean.inquiryType)}"/>
<form:input type="hidden" path="bean.category" value="${fn:escapeXml(bean.category)}"/>
<form:input type="hidden" path="bean.name" value="${fn:escapeXml(bean.name)}"/>
<form:input type="hidden" path="bean.email" value="${fn:escapeXml(bean.email)}"/>
<form:input type="hidden" path="bean.message" value="${fn:escapeXml(bean.message)}"/>
<form:input type="hidden" path="bean.status" value="${fn:escapeXml(bean.status)}"/>
<form:input type="hidden" path="bean.remarks" value="${fn:escapeXml(bean.remarks)}"/>
<%--Form--%>
<div class="form-group">
<h4 class="title">User Complaint</h4>
<label class="control-label col-sm-3">Name</label>
<div class="col-sm-9">
<form:textarea class="form-control" path="name" value="${fn:escapeXml(name)}" rows="1" disabled="true"/>
</div>
</div>
<div class="form-group">
<label class="control-label col-sm-3">Email</label>
<div class="col-sm-9">
<form:textarea class="form-control" path="email" value="${fn:escapeXml(email)}" rows="1" disabled="true"/>
</div>
</div>
<div class="form-group">
<label class="control-label col-sm-3">Message</label>
<div class="col-sm-9">
<form:textarea class="form-control" path="message" value="${fn:escapeXml(message)}" disabled="true"></form:textarea>
</div>
</div>
<div class="form-group">
<label class="control-label col-sm-3">Date Receive</label>
<div class="col-sm-9">
<form:textarea class="form-control" path="createdDate" value="${fn:escapeXml(createdDate)}" disabled="true"></form:textarea>
</div>
</div>
<div class="form-group">
<label class="control-label col-sm-3">Remarks</label>
<div class="col-sm-9">
<form:textarea id="remarkEditor" class="form-control" path="remarks" value="${fn:escapeXml(remarks)}"></form:textarea>
<sup id="remarkLength">Max Length 500</sup>
</div>
</div>
<div class="form-group">
<label class="control-label col-sm-3">Status</label>
<div class="col-sm-9">
<form:select path="status" class="form-control">
<form:option value="pending" label="pending" />
<form:option value="processing" label="processing" />
<form:option value="resolved" label="resolved" />
</form:select>
</div>
</div>
<div class="text-right">
<a class="btn btn-sm btn-gray" href="<c:url value='/inquiry/user-complaint-list'/>">Back</a>
<button type="submit" name="submit" class="btn btn-sm btn-info" onclick="updateComplaint()">Confirm</button>
</div>
</form:form>
Only the remarks field is editable, I tried to input alert(‘XSS’); into that field and the input seems not sanitize properly, why the input is not sanitize properly even though i apply fn:escapexml? Would appreciate if anyone can help, thank you in advance