I have a JSP page where the HTML title is pulled from a GET parameter title:
<title>${title}</title>
Obviously, this allows for XSS attacks. If I follow the answer given on this page and try the solutions
<title><c:out value="${title}"/></title>
<title>${fn:escapeXml(title)}</title>
(while importing the respective taglibs), it doesn't work. The test attack
https://example.com/page.jsp?title=“/><script>alert(1)</script>
still works. What am I doing wrong with these solutions?
