Re: [Stripes-users] Remove HTML from user input
Hi, I guess you can validate whatever you want by providing your own ActionBeanPropertyBinder : net.sourceforge.stripes.controller.ActionBeanPropertyBinder I think it can be done very easily by overriding a single method in there, maybe : net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder#bind(net.sourceforge.stripes.action.ActionBean, java.lang.String, java.lang.Object) If the value are is a String, then check for XSS, and sanitize the String before setting the bean prop if needed. When you output anything in JSP, you should be safe using jstl's c:out : it escapes Xml by default. Cheers Rémi 2014-10-14 22:53 GMT+02:00 Adam Stokar ajsto...@gmail.com: Hi everyone, Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks? I've googled with no success. Thanks, -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
It's true that c:out or ${fn:escapeXml(whatever)} offers protection against XSS attacks involving injected HTML/XML markup, but that's not really enough on the client side. If user-tainted content is emitted into a JavaScript context, then it has to be protected differently (most effectively, with a JSON serializer). On Wed, Oct 15, 2014 at 3:21 AM, VANKEISBELCK Remi r...@rvkb.com wrote: Hi, I guess you can validate whatever you want by providing your own ActionBeanPropertyBinder : net.sourceforge.stripes.controller.ActionBeanPropertyBinder I think it can be done very easily by overriding a single method in there, maybe : net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder#bind(net.sourceforge.stripes.action.ActionBean, java.lang.String, java.lang.Object) If the value are is a String, then check for XSS, and sanitize the String before setting the bean prop if needed. When you output anything in JSP, you should be safe using jstl's c:out : it escapes Xml by default. Cheers Rémi 2014-10-14 22:53 GMT+02:00 Adam Stokar ajsto...@gmail.com: Hi everyone, Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks? I've googled with no success. Thanks, -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- Turtle, turtle, on the ground, Pink and shiny, turn around. -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
[Stripes-users] Remove HTML from user input
Hi everyone, Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks? I've googled with no success. Thanks, -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
XSS is part of a wider class of attacks (like SQL injection) that are more *output* problems than input problems. There are solutions in the JSP world for escaping content in HTML/XML contexts, just as there are solutions for protecting queries from user-supplied data in the SQL world. On Tue, Oct 14, 2014 at 3:53 PM, Adam Stokar ajsto...@gmail.com wrote: Hi everyone, Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks? I've googled with no success. Thanks, -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- Turtle, turtle, on the ground, Pink and shiny, turn around. -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
Escaping html? http://tinyurl.com/p7cymrs On Tue, Oct 14, 2014 at 1:53 PM, Adam Stokar ajsto...@gmail.com wrote: Hi everyone, Does Stripes have an easy way to remove HTML from user input to prevent XSS attacks? I've googled with no success. Thanks, -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
Re: [Stripes-users] Remove HTML from user input
I've been using this one https://github.com/StripesFramework/stripes-xss quite successfully; I have it modified a bit to serve more complex use case of having more relaxed rules for some URL-field name combinations (e.g. those that I KNOW have CKEditor on them). -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users