RE: Best Practices for handling of XSS attacks
I am currently not using any ajax stuff and i belive using JSON validation is
not the
solution I am looking for. Although I have no idea what it does i think it is
way too much for my little
and simple requirement and if is also not a good choice from design point of
view.
as i suggested and dave confirmed i will use an interceptor to escape the
parameters. but now i
have come to the following problem in my interceptor code:
public String intercept(ActionInvocation invocation) throws Exception {
MapString,Object
params = invocation.getInvocationContext().getParameters();
if (params.get(parameter_name) instanceof String){
//never entered???
String param_var= params.get(parameter_name);
//escape + write back ...
}
return invocation.invoke ();
}
It seems params.get(parameter_name) is returning an String [] instead of an
String. In my case it should return a String only.
As a workaround i could use:
HttpServletRequest request = (HttpServletRequest)
invocation.getInvocationContext ().get(HTTP_REQUEST);
String myParam = request.getParameter (parameter_name);
but before I use this I would like to know why params.get(parameter_name) is
not returning a simple String?
Any idea?
Pars
Von: Martin Gainty mgai...@hotmail.com
An: parsmani...@yahoo.de
Gesendet: Montag, den 4. Oktober 2010, 23:27:55 Uhr
Betreff: RE: Best Practices for handling of XSS attacks
set struts.enableJSONValidation to true e.g.
-Dstruts.enableJSONValidation=true
OR configured as a parameter in web.xml\
init-param
param-namestruts.enableJSONValidation/param-name
param-valuetrue/param-value
/init-param
to enable JSONValidationInterceptor assume struts-default.xml contains the
jsonValidation interceptor
interceptors
interceptor name=jsonValidation
class=org.apache.struts2.interceptor.validation.JSONValidationInterceptor /
!-- jsonValidation is configured in the jsonValidationWorkflowStack --
interceptor-stack name=jsonValidationWorkflowStack
interceptor-ref name=basicStack/
interceptor-ref name=validation
param name=excludeMethodsinput,back,cancel/param
/interceptor-ref
interceptor-ref name=jsonValidation/
interceptor-ref name=workflow/
/interceptor-stack
!-- the jsonValidationWorkflowStack should be defined as the
default-interceptor --
default-interceptor-ref name=jsonValidationWorkflowStack/
Viel Gluck,
martin
__
Verzicht und Vertraulichkeitanmerkung
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Date: Mon, 4 Oct 2010 18:53:33 +
From: parsmani...@yahoo.de
Subject: RE: Best Practices for handling of XSS attacks
To: user@struts.apache.org
yep, this is what i will do.
Where in the defaultStack would you place such an interceptor from an
architecual point of view?
Pars
- Ursprüngliche Mail
Von: Dave Newton davelnew...@gmail.com
An: Struts Users Mailing List user@struts.apache.org
Gesendet: Montag, den 4. Oktober 2010, 19:59:14 Uhr
Betreff: Re: Best Practices for handling of XSS attacks
An interceptor is still a reasonable solution. But not having a form on each
page doesn't really seem like a big deal--just escape any request
parameters; no form, no parameters, no problem.
Dave
On Mon, Oct 4, 2010 at 11:55 AM, Pars Man parsmani...@yahoo.de wrote:
I don't want to use HDIV because:
1. i do not know muc about it (yet)
2. seems to be heavy weight - I don't need all of its capabilities
But I have the feeling you know more about HDIV. As far as I know HDIV also
changes urls, which I also don't want.
I just want to make my html forms secure against xss and nothing else. and
of
courese i fo not have a form on on every page...
Pars
- Ursprüngliche Mail
Von: Dave Newton davelnew...@gmail.com
An: Struts Users Mailing List user@struts.apache.org
Gesendet: Freitag, den 1. Oktober 2010, 14:46:03 Uhr
Betreff: Re: Best Practices for handling of XSS attacks
An interceptor seems like a reasonable solution. Why don't you want to use
HDIV?
Dave
On Fri, Oct 1, 2010 at 3:15 AM, Pars Man parsmani...@yahoo.de wrote:
Hi,
I am currently checking the web to find something about how to handle XSS
attacks in my Struts2 application.
Unfortunately I just cannot find anything.
I do not want to use HDIV (http://www.hdiv.org/) or the HDIV-Plugin
Re: Best Practices for handling of XSS attacks
Hi Pars,
because it should return an array.
In HTTP reguest parameter with the same name can be entered many times,
and that's why it's represented as an array.
Best greetings,
Paweł Wielgus.
2010/10/5 Pars Man parsmani...@yahoo.de:
I am currently not using any ajax stuff and i belive using JSON validation is
not the
solution I am looking for. Although I have no idea what it does i think it is
way too much for my little
and simple requirement and if is also not a good choice from design point of
view.
as i suggested and dave confirmed i will use an interceptor to escape the
parameters. but now i
have come to the following problem in my interceptor code:
public String intercept(ActionInvocation invocation) throws Exception {
MapString,Object
params = invocation.getInvocationContext().getParameters();
if (params.get(parameter_name) instanceof String){
//never entered???
String param_var= params.get(parameter_name);
//escape + write back ...
}
return invocation.invoke ();
}
It seems params.get(parameter_name) is returning an String [] instead of an
String. In my case it should return a String only.
As a workaround i could use:
HttpServletRequest request = (HttpServletRequest)
invocation.getInvocationContext ().get(HTTP_REQUEST);
String myParam = request.getParameter (parameter_name);
but before I use this I would like to know why params.get(parameter_name) is
not returning a simple String?
Any idea?
Pars
Von: Martin Gainty mgai...@hotmail.com
An: parsmani...@yahoo.de
Gesendet: Montag, den 4. Oktober 2010, 23:27:55 Uhr
Betreff: RE: Best Practices for handling of XSS attacks
set struts.enableJSONValidation to true e.g.
-Dstruts.enableJSONValidation=true
OR configured as a parameter in web.xml\
init-param
param-namestruts.enableJSONValidation/param-name
param-valuetrue/param-value
/init-param
to enable JSONValidationInterceptor assume struts-default.xml contains the
jsonValidation interceptor
interceptors
interceptor name=jsonValidation
class=org.apache.struts2.interceptor.validation.JSONValidationInterceptor /
!-- jsonValidation is configured in the jsonValidationWorkflowStack --
interceptor-stack name=jsonValidationWorkflowStack
interceptor-ref name=basicStack/
interceptor-ref name=validation
param name=excludeMethodsinput,back,cancel/param
/interceptor-ref
interceptor-ref name=jsonValidation/
interceptor-ref name=workflow/
/interceptor-stack
!-- the jsonValidationWorkflowStack should be defined as the
default-interceptor --
default-interceptor-ref name=jsonValidationWorkflowStack/
Viel Gluck,
martin
__
Verzicht und Vertraulichkeitanmerkung
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich
dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Date: Mon, 4 Oct 2010 18:53:33 +
From: parsmani...@yahoo.de
Subject: RE: Best Practices for handling of XSS attacks
To: user@struts.apache.org
yep, this is what i will do.
Where in the defaultStack would you place such an interceptor from an
architecual point of view?
Pars
- Ursprüngliche Mail
Von: Dave Newton davelnew...@gmail.com
An: Struts Users Mailing List user@struts.apache.org
Gesendet: Montag, den 4. Oktober 2010, 19:59:14 Uhr
Betreff: Re: Best Practices for handling of XSS attacks
An interceptor is still a reasonable solution. But not having a form on each
page doesn't really seem like a big deal--just escape any request
parameters; no form, no parameters, no problem.
Dave
On Mon, Oct 4, 2010 at 11:55 AM, Pars Man parsmani...@yahoo.de wrote:
I don't want to use HDIV because:
1. i do not know muc about it (yet)
2. seems to be heavy weight - I don't need all of its capabilities
But I have the feeling you know more about HDIV. As far as I know HDIV also
changes urls, which I also don't want.
I just want to make my html forms secure against xss and nothing else. and
of
courese i fo not have a form on on every page...
Pars
- Ursprüngliche Mail
Von: Dave Newton davelnew...@gmail.com
An: Struts Users Mailing List user@struts.apache.org
Gesendet: Freitag, den 1. Oktober 2010, 14:46:03 Uhr
Betreff: Re: Best Practices for handling of XSS attacks
An interceptor seems like a reasonable solution. Why don't you want to use
HDIV?
Dave
On Fri, Oct 1, 2010 at 3:15 AM, Pars Man parsmani...@yahoo.de wrote:
Hi,
I
Re: urls and iterations
hi Piotrek
s:a is expanding ftl.
for example. link use String ?
It quickens a little.
s:url var=show_url action=showThread escapeAmp=false
s:param name=threadId value=%{id} /
/s:url
table border=1 class=threads
s:iterator value=tableValues
tr
tds:property value=id //td
tda href='s:property value=%{show_url} /?threadId=s:property
value=%{id} /' show/a/td
/tr
/s:iterator
if you're able to use JavaScript .
post id.
JavaScript function form submit.
ex : a onclick=onclickAction(%{id})
Thanks.
kou
Problem with required validator
Hi, I have a xml validator for my user login action which requires values for both the userName and password fields. However when submit the form with these fields populated I still get the same Username is required and Password is required messages. Am I right in thinking that the required validator is triggered if no value is supplied for the field? If thats the case why would it be triggered when I supply values for those fields? Here is the validation xml file: !DOCTYPE validators PUBLIC -//OpenSymphony Group//XWork Validator 1.0.2//EN http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd; validators field name=userName field-validator type=required messageUsername is required./message /field-validator /field field name=password field-validator type=required messagePassword is required./message /field-validator /field /validators Regards, Darren - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Problem with required validator
Without knowing specifically how the validator is configured (where is the validation file when it's deployed, how the action is configured, the form itself, etc.) it's tough to give much beyond make sure it's configured correctly. Dave On Tue, Oct 5, 2010 at 7:52 AM, Darren Karstens darrenkarst...@gmail.comwrote: Hi, I have a xml validator for my user login action which requires values for both the userName and password fields. However when submit the form with these fields populated I still get the same Username is required and Password is required messages. Am I right in thinking that the required validator is triggered if no value is supplied for the field? If thats the case why would it be triggered when I supply values for those fields? Here is the validation xml file: !DOCTYPE validators PUBLIC -//OpenSymphony Group//XWork Validator 1.0.2//EN http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd; validators field name=userName field-validator type=required messageUsername is required./message /field-validator /field field name=password field-validator type=required messagePassword is required./message /field-validator /field /validators Regards, Darren - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: urls and iterations
Thank kou Kou
There's still more to learn for me
As I guess there isn't any mechanism for declaration/evaluation, eg:
s:url var='showUrl' action='show' evalLater='true'
s:param name='id' value='%{id}/
/s:url
s:iterator value='items'
s:property value='id' /br/
s:property value='%{showUrl}' eval='true' /br/
/s:iterator
Then s:property will be url that evals with getting item.id ...
For PC browsers I'll use javascript post as you suggested, it will be
much cleaner and probably faster
Thanks again and have a great day
Piotrek
-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
Re: Problem with required validator
You can debug your app,and step in the required validator class'validation method. And check whether the value is populated . Maybe it'snull . 2010/10/5, Darren Karstens darrenkarst...@gmail.com: Hi, I have a xml validator for my user login action which requires values for both the userName and password fields. However when submit the form with these fields populated I still get the same Username is required and Password is required messages. Am I right in thinking that the required validator is triggered if no value is supplied for the field? If thats the case why would it be triggered when I supply values for those fields? Here is the validation xml file: !DOCTYPE validators PUBLIC -//OpenSymphony Group//XWork Validator 1.0.2//EN http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd; validators field name=userName field-validator type=required messageUsername is required./message /field-validator /field field name=password field-validator type=required messagePassword is required./message /field-validator /field /validators Regards, Darren - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- 从我的移动设备发送 *Kun He* (or Raymond He) A Java Programmer Alibaba inc. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Problem with required validator
Thanks for the replies. I figured out what the problem was. My model in the action class is a member variable called user, so I needed to change the name of my form fields and validator fields to user.userName instead of just userName. 2010/10/5 Raymond He raymond.kk...@gmail.com: You can debug your app,and step in the required validator class'validation method. And check whether the value is populated . Maybe it'snull . 2010/10/5, Darren Karstens darrenkarst...@gmail.com: Hi, I have a xml validator for my user login action which requires values for both the userName and password fields. However when submit the form with these fields populated I still get the same Username is required and Password is required messages. Am I right in thinking that the required validator is triggered if no value is supplied for the field? If thats the case why would it be triggered when I supply values for those fields? Here is the validation xml file: !DOCTYPE validators PUBLIC -//OpenSymphony Group//XWork Validator 1.0.2//EN http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd; validators field name=userName field-validator type=required messageUsername is required./message /field-validator /field field name=password field-validator type=required messagePassword is required./message /field-validator /field /validators Regards, Darren - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- 从我的移动设备发送 *Kun He* (or Raymond He) A Java Programmer Alibaba inc. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Multipart/Form-Data with Struts 1
I have a legacy application using Struts 1.2.8 and I have the following HTML form: html:form action=/myAction.do method=post enctype=multipart/form-data html-el:textarea property=userEnteredHtml styleClass=tinyMCE styleId=tinymce/html-el:textarea /html:form If I include multiple blank lines in the tinyMCE editor, the generated HTML should be: pnbsp;/p However, IE posts the following HTML: p /p At first glance, I thought that this was exclusively a tinyMCE problem and I posted on their forum. However, the problem goes away when I remove the enctype=multipart/form-data from the html:form declaration. Does Struts 1 do anything unusual with the enctype multipart/form-data attribute? It does not seem that other tinyMCE editor users are experiencing this issue (since they probably aren't using Struts 1). Is there any alternative to using multipart/form-data? My form does include a file upload which is why I initially added the multipart/form-data. -- View this message in context: http://old.nabble.com/Multipart-Form-Data-with-Struts-1-tp2988p2988.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Multipart/Form-Data with Struts 1
If you're uploading a file, the form must be multipart. Which version of IE? Is it only under IE that it happens? Dave On Tue, Oct 5, 2010 at 10:16 AM, DavidZaz dzaze...@cait.org wrote: I have a legacy application using Struts 1.2.8 and I have the following HTML form: html:form action=/myAction.do method=post enctype=multipart/form-data html-el:textarea property=userEnteredHtml styleClass=tinyMCE styleId=tinymce/html-el:textarea /html:form If I include multiple blank lines in the tinyMCE editor, the generated HTML should be: pnbsp;/p However, IE posts the following HTML: p /p At first glance, I thought that this was exclusively a tinyMCE problem and I posted on their forum. However, the problem goes away when I remove the enctype=multipart/form-data from the html:form declaration. Does Struts 1 do anything unusual with the enctype multipart/form-data attribute? It does not seem that other tinyMCE editor users are experiencing this issue (since they probably aren't using Struts 1). Is there any alternative to using multipart/form-data? My form does include a file upload which is why I initially added the multipart/form-data. -- View this message in context: http://old.nabble.com/Multipart-Form-Data-with-Struts-1-tp2988p2988.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Multipart/Form-Data with Struts 1
Yes, it only occurs under Internet Explorer. I've reproduced with IE 7 and 8. Dave Newton-6 wrote: If you're uploading a file, the form must be multipart. Which version of IE? Is it only under IE that it happens? Dave On Tue, Oct 5, 2010 at 10:16 AM, DavidZaz dzaze...@cait.org wrote: I have a legacy application using Struts 1.2.8 and I have the following HTML form: html:form action=/myAction.do method=post enctype=multipart/form-data html-el:textarea property=userEnteredHtml styleClass=tinyMCE styleId=tinymce/html-el:textarea /html:form If I include multiple blank lines in the tinyMCE editor, the generated HTML should be: pnbsp;/p However, IE posts the following HTML: p /p At first glance, I thought that this was exclusively a tinyMCE problem and I posted on their forum. However, the problem goes away when I remove the enctype=multipart/form-data from the html:form declaration. Does Struts 1 do anything unusual with the enctype multipart/form-data attribute? It does not seem that other tinyMCE editor users are experiencing this issue (since they probably aren't using Struts 1). Is there any alternative to using multipart/form-data? My form does include a file upload which is why I initially added the multipart/form-data. -- View this message in context: http://old.nabble.com/Multipart-Form-Data-with-Struts-1-tp2988p2988.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- View this message in context: http://old.nabble.com/Multipart-Form-Data-with-Struts-1-tp2988p29887895.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Using ARIA with Struts tag
Can anyone tell me how we can write ARIA attribute in struts tag. I ma using Struts 1.3.8 Thanks Anjib
Reduce Java Script Depecency in Struts 2
Hi All, We've use Struts 2+Spring+Hibernate as our framework and use JSP as the UI. After we review the application, our application having quite a lot Java Script that cause certain form not working propertly in one of the browser. Any suggesstion how we can reduce Java Script in the JSP ? is the JQuery is a good option ? Best Regards Yanto
Re: Reduce Java Script Depecency in Struts 2
I changed to jQuery not long time ago and I have to say the system has improved its performance (I was using before the dojo plugin) as well as the code being cleaner. You'll still need to do some javascripting but using jQuery API that is, as said, cleaner. On Wed, Oct 6, 2010 at 10:05 AM, Yanto Bong yantob...@gmail.com wrote: Hi All, We've use Struts 2+Spring+Hibernate as our framework and use JSP as the UI. After we review the application, our application having quite a lot Java Script that cause certain form not working propertly in one of the browser. Any suggesstion how we can reduce Java Script in the JSP ? is the JQuery is a good option ? Best Regards Yanto
Re: Reduce Java Script Depecency in Struts 2
There is a project which integrated JQuery into Struts2... http://code.google.com/p/struts2-jquery/ The dojo plugin shipped with Struts 2 is too old... Hantsy 于 2010/10/6 11:28, Jose A. Corbacho 写道: I changed to jQuery not long time ago and I have to say the system has improved its performance (I was using before the dojo plugin) as well as the code being cleaner. You'll still need to do some javascripting but using jQuery API that is, as said, cleaner. On Wed, Oct 6, 2010 at 10:05 AM, Yanto Bongyantob...@gmail.com wrote: Hi All, We've use Struts 2+Spring+Hibernate as our framework and use JSP as the UI. After we review the application, our application having quite a lot Java Script that cause certain form not working propertly in one of the browser. Any suggesstion how we can reduce Java Script in the JSP ? is the JQuery is a good option ? Best Regards Yanto - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Reduce Java Script Depecency in Struts 2
I meant, yep, using the plugin provided for jQuery. On Wed, Oct 6, 2010 at 10:40 AM, Hantsy Bai han...@gmail.com wrote: There is a project which integrated JQuery into Struts2... http://code.google.com/p/struts2-jquery/ The dojo plugin shipped with Struts 2 is too old... Hantsy 于 2010/10/6 11:28, Jose A. Corbacho 写道: I changed to jQuery not long time ago and I have to say the system has improved its performance (I was using before the dojo plugin) as well as the code being cleaner. You'll still need to do some javascripting but using jQuery API that is, as said, cleaner. On Wed, Oct 6, 2010 at 10:05 AM, Yanto Bongyantob...@gmail.com wrote: Hi All, We've use Struts 2+Spring+Hibernate as our framework and use JSP as the UI. After we review the application, our application having quite a lot Java Script that cause certain form not working propertly in one of the browser. Any suggesstion how we can reduce Java Script in the JSP ? is the JQuery is a good option ? Best Regards Yanto - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
