# DEFAULT HTML ESCAPE INVALID

Feature Value
Type Detection
Risk OWASP A6
Covered by Agent

Applications based on Spring tags do not escape by default but it is a good practice to activate it in web.xml as it reduces the likelihood of a XSS attack

<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>


## How to solve it

Set defaultHtmlEscape parameter to activate HTML escaping by default