[Stripes-users] Remove HTML from user input
Hi everyone, Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks? I've googled with no success. Thanks, -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
XSS is part of a wider class of attacks (like SQL injection) that are more *output* problems than input problems. There are solutions in the JSP world for escaping content in HTML/XML contexts, just as there are solutions for protecting queries from user-supplied data in the SQL world. On Tue, Oct 14, 2014 at 3:53 PM, Adam Stokar wrote: > Hi everyone, > > Does Stripes have an easy way to remove HTML from user input to prevent XSS > attacks? I've googled with no success. > > Thanks, > > -- > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > ___ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > -- Turtle, turtle, on the ground, Pink and shiny, turn around. -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
Escaping html? http://tinyurl.com/p7cymrs On Tue, Oct 14, 2014 at 1:53 PM, Adam Stokar wrote: > Hi everyone, > > Does Stripes have an easy way to remove HTML from user input to prevent > XSS attacks? I've googled with no success. > > Thanks, > > > -- > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > ___ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > > -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
I've been using this one https://github.com/StripesFramework/stripes-xss quite successfully; I have it modified a bit to serve more complex use case of having more relaxed rules for some URL-field name combinations (e.g. those that I KNOW have CKEditor on them). -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
Hi, I guess you can validate whatever you want by providing your own ActionBeanPropertyBinder : net.sourceforge.stripes.controller.ActionBeanPropertyBinder I think it can be done very easily by overriding a single method in there, maybe : net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder#bind(net.sourceforge.stripes.action.ActionBean, java.lang.String, java.lang.Object) If the value are is a String, then check for XSS, and sanitize the String before setting the bean prop if needed. When you output anything in JSP, you should be safe using jstl's : it escapes Xml by default. Cheers Rémi 2014-10-14 22:53 GMT+02:00 Adam Stokar : > Hi everyone, > > Does Stripes have an easy way to remove HTML from user input to prevent > XSS attacks? I've googled with no success. > > Thanks, > > > -- > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > ___ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > > -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
It's true that or ${fn:escapeXml(whatever)} offers protection
against XSS attacks involving injected HTML/XML markup, but that's not
really enough on the client side. If user-tainted content is emitted
into a JavaScript context, then it has to be protected differently
(most effectively, with a JSON serializer).
On Wed, Oct 15, 2014 at 3:21 AM, VANKEISBELCK Remi wrote:
> Hi,
>
> I guess you can validate whatever you want by providing your own
> ActionBeanPropertyBinder :
> net.sourceforge.stripes.controller.ActionBeanPropertyBinder
>
> I think it can be done very easily by overriding a single method in there,
> maybe :
> net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder#bind(net.sourceforge.stripes.action.ActionBean,
> java.lang.String, java.lang.Object)
>
> If the value are is a String, then check for XSS, and sanitize the String
> before setting the bean prop if needed.
>
> When you output anything in JSP, you should be safe using jstl's :
> it escapes Xml by default.
>
> Cheers
>
> Rémi
>
>
> 2014-10-14 22:53 GMT+02:00 Adam Stokar :
>>
>> Hi everyone,
>>
>> Does Stripes have an easy way to remove HTML from user input to prevent
>> XSS attacks? I've googled with no success.
>>
>> Thanks,
>>
>>
>> --
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://p.sf.net/sfu/Zoho
>> ___
>> Stripes-users mailing list
>> Stripes-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/stripes-users
>>
>
>
> --
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> ___
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
--
Turtle, turtle, on the ground,
Pink and shiny, turn around.
--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
___
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
