RE: Best Practices for handling of XSS attacks
I am currently not using any ajax stuff and i belive using JSON validation is not the solution I am looking for. Although I have no idea what it does i think it is way too much for my little and simple requirement and if is also not a good choice from design point of view. as i suggested and dave confirmed i will use an interceptor to escape the parameters. but now i have come to the following problem in my interceptor code: public String intercept(ActionInvocation invocation) throws Exception { MapString,Object params = invocation.getInvocationContext().getParameters(); if (params.get(parameter_name) instanceof String){ //never entered??? String param_var= params.get(parameter_name); //escape + write back ... } return invocation.invoke (); } It seems params.get(parameter_name) is returning an String [] instead of an String. In my case it should return a String only. As a workaround i could use: HttpServletRequest request = (HttpServletRequest) invocation.getInvocationContext ().get(HTTP_REQUEST); String myParam = request.getParameter (parameter_name); but before I use this I would like to know why params.get(parameter_name) is not returning a simple String? Any idea? Pars Von: Martin Gainty mgai...@hotmail.com An: parsmani...@yahoo.de Gesendet: Montag, den 4. Oktober 2010, 23:27:55 Uhr Betreff: RE: Best Practices for handling of XSS attacks set struts.enableJSONValidation to true e.g. -Dstruts.enableJSONValidation=true OR configured as a parameter in web.xml\ init-param param-namestruts.enableJSONValidation/param-name param-valuetrue/param-value /init-param to enable JSONValidationInterceptor assume struts-default.xml contains the jsonValidation interceptor interceptors interceptor name=jsonValidation class=org.apache.struts2.interceptor.validation.JSONValidationInterceptor / !-- jsonValidation is configured in the jsonValidationWorkflowStack -- interceptor-stack name=jsonValidationWorkflowStack interceptor-ref name=basicStack/ interceptor-ref name=validation param name=excludeMethodsinput,back,cancel/param /interceptor-ref interceptor-ref name=jsonValidation/ interceptor-ref name=workflow/ /interceptor-stack !-- the jsonValidationWorkflowStack should be defined as the default-interceptor -- default-interceptor-ref name=jsonValidationWorkflowStack/ Viel Gluck, martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Mon, 4 Oct 2010 18:53:33 + From: parsmani...@yahoo.de Subject: RE: Best Practices for handling of XSS attacks To: user@struts.apache.org yep, this is what i will do. Where in the defaultStack would you place such an interceptor from an architecual point of view? Pars - Ursprüngliche Mail Von: Dave Newton davelnew...@gmail.com An: Struts Users Mailing List user@struts.apache.org Gesendet: Montag, den 4. Oktober 2010, 19:59:14 Uhr Betreff: Re: Best Practices for handling of XSS attacks An interceptor is still a reasonable solution. But not having a form on each page doesn't really seem like a big deal--just escape any request parameters; no form, no parameters, no problem. Dave On Mon, Oct 4, 2010 at 11:55 AM, Pars Man parsmani...@yahoo.de wrote: I don't want to use HDIV because: 1. i do not know muc about it (yet) 2. seems to be heavy weight - I don't need all of its capabilities But I have the feeling you know more about HDIV. As far as I know HDIV also changes urls, which I also don't want. I just want to make my html forms secure against xss and nothing else. and of courese i fo not have a form on on every page... Pars - Ursprüngliche Mail Von: Dave Newton davelnew...@gmail.com An: Struts Users Mailing List user@struts.apache.org Gesendet: Freitag, den 1. Oktober 2010, 14:46:03 Uhr Betreff: Re: Best Practices for handling of XSS attacks An interceptor seems like a reasonable solution. Why don't you want to use HDIV? Dave On Fri, Oct 1, 2010 at 3:15 AM, Pars Man parsmani...@yahoo.de wrote: Hi, I am currently checking the web to find something about how to handle XSS attacks in my Struts2 application. Unfortunately I just cannot find anything. I do not want to use HDIV (http://www.hdiv.org/) or the HDIV-Plugin
Re: Best Practices for handling of XSS attacks
Hi Pars, because it should return an array. In HTTP reguest parameter with the same name can be entered many times, and that's why it's represented as an array. Best greetings, Paweł Wielgus. 2010/10/5 Pars Man parsmani...@yahoo.de: I am currently not using any ajax stuff and i belive using JSON validation is not the solution I am looking for. Although I have no idea what it does i think it is way too much for my little and simple requirement and if is also not a good choice from design point of view. as i suggested and dave confirmed i will use an interceptor to escape the parameters. but now i have come to the following problem in my interceptor code: public String intercept(ActionInvocation invocation) throws Exception { MapString,Object params = invocation.getInvocationContext().getParameters(); if (params.get(parameter_name) instanceof String){ //never entered??? String param_var= params.get(parameter_name); //escape + write back ... } return invocation.invoke (); } It seems params.get(parameter_name) is returning an String [] instead of an String. In my case it should return a String only. As a workaround i could use: HttpServletRequest request = (HttpServletRequest) invocation.getInvocationContext ().get(HTTP_REQUEST); String myParam = request.getParameter (parameter_name); but before I use this I would like to know why params.get(parameter_name) is not returning a simple String? Any idea? Pars Von: Martin Gainty mgai...@hotmail.com An: parsmani...@yahoo.de Gesendet: Montag, den 4. Oktober 2010, 23:27:55 Uhr Betreff: RE: Best Practices for handling of XSS attacks set struts.enableJSONValidation to true e.g. -Dstruts.enableJSONValidation=true OR configured as a parameter in web.xml\ init-param param-namestruts.enableJSONValidation/param-name param-valuetrue/param-value /init-param to enable JSONValidationInterceptor assume struts-default.xml contains the jsonValidation interceptor interceptors interceptor name=jsonValidation class=org.apache.struts2.interceptor.validation.JSONValidationInterceptor / !-- jsonValidation is configured in the jsonValidationWorkflowStack -- interceptor-stack name=jsonValidationWorkflowStack interceptor-ref name=basicStack/ interceptor-ref name=validation param name=excludeMethodsinput,back,cancel/param /interceptor-ref interceptor-ref name=jsonValidation/ interceptor-ref name=workflow/ /interceptor-stack !-- the jsonValidationWorkflowStack should be defined as the default-interceptor -- default-interceptor-ref name=jsonValidationWorkflowStack/ Viel Gluck, martin __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Date: Mon, 4 Oct 2010 18:53:33 + From: parsmani...@yahoo.de Subject: RE: Best Practices for handling of XSS attacks To: user@struts.apache.org yep, this is what i will do. Where in the defaultStack would you place such an interceptor from an architecual point of view? Pars - Ursprüngliche Mail Von: Dave Newton davelnew...@gmail.com An: Struts Users Mailing List user@struts.apache.org Gesendet: Montag, den 4. Oktober 2010, 19:59:14 Uhr Betreff: Re: Best Practices for handling of XSS attacks An interceptor is still a reasonable solution. But not having a form on each page doesn't really seem like a big deal--just escape any request parameters; no form, no parameters, no problem. Dave On Mon, Oct 4, 2010 at 11:55 AM, Pars Man parsmani...@yahoo.de wrote: I don't want to use HDIV because: 1. i do not know muc about it (yet) 2. seems to be heavy weight - I don't need all of its capabilities But I have the feeling you know more about HDIV. As far as I know HDIV also changes urls, which I also don't want. I just want to make my html forms secure against xss and nothing else. and of courese i fo not have a form on on every page... Pars - Ursprüngliche Mail Von: Dave Newton davelnew...@gmail.com An: Struts Users Mailing List user@struts.apache.org Gesendet: Freitag, den 1. Oktober 2010, 14:46:03 Uhr Betreff: Re: Best Practices for handling of XSS attacks An interceptor seems like a reasonable solution. Why don't you want to use HDIV? Dave On Fri, Oct 1, 2010 at 3:15 AM, Pars Man parsmani...@yahoo.de wrote: Hi, I
Re: urls and iterations
hi Piotrek s:a is expanding ftl. for example. link use String ? It quickens a little. s:url var=show_url action=showThread escapeAmp=false s:param name=threadId value=%{id} / /s:url table border=1 class=threads s:iterator value=tableValues tr tds:property value=id //td tda href='s:property value=%{show_url} /?threadId=s:property value=%{id} /' show/a/td /tr /s:iterator if you're able to use JavaScript . post id. JavaScript function form submit. ex : a onclick=onclickAction(%{id}) Thanks. kou
Problem with required validator
Hi, I have a xml validator for my user login action which requires values for both the userName and password fields. However when submit the form with these fields populated I still get the same Username is required and Password is required messages. Am I right in thinking that the required validator is triggered if no value is supplied for the field? If thats the case why would it be triggered when I supply values for those fields? Here is the validation xml file: !DOCTYPE validators PUBLIC -//OpenSymphony Group//XWork Validator 1.0.2//EN http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd; validators field name=userName field-validator type=required messageUsername is required./message /field-validator /field field name=password field-validator type=required messagePassword is required./message /field-validator /field /validators Regards, Darren - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Problem with required validator
Without knowing specifically how the validator is configured (where is the validation file when it's deployed, how the action is configured, the form itself, etc.) it's tough to give much beyond make sure it's configured correctly. Dave On Tue, Oct 5, 2010 at 7:52 AM, Darren Karstens darrenkarst...@gmail.comwrote: Hi, I have a xml validator for my user login action which requires values for both the userName and password fields. However when submit the form with these fields populated I still get the same Username is required and Password is required messages. Am I right in thinking that the required validator is triggered if no value is supplied for the field? If thats the case why would it be triggered when I supply values for those fields? Here is the validation xml file: !DOCTYPE validators PUBLIC -//OpenSymphony Group//XWork Validator 1.0.2//EN http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd; validators field name=userName field-validator type=required messageUsername is required./message /field-validator /field field name=password field-validator type=required messagePassword is required./message /field-validator /field /validators Regards, Darren - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: urls and iterations
Thank kou Kou There's still more to learn for me As I guess there isn't any mechanism for declaration/evaluation, eg: s:url var='showUrl' action='show' evalLater='true' s:param name='id' value='%{id}/ /s:url s:iterator value='items' s:property value='id' /br/ s:property value='%{showUrl}' eval='true' /br/ /s:iterator Then s:property will be url that evals with getting item.id ... For PC browsers I'll use javascript post as you suggested, it will be much cleaner and probably faster Thanks again and have a great day Piotrek - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Problem with required validator
You can debug your app,and step in the required validator class'validation method. And check whether the value is populated . Maybe it'snull . 2010/10/5, Darren Karstens darrenkarst...@gmail.com: Hi, I have a xml validator for my user login action which requires values for both the userName and password fields. However when submit the form with these fields populated I still get the same Username is required and Password is required messages. Am I right in thinking that the required validator is triggered if no value is supplied for the field? If thats the case why would it be triggered when I supply values for those fields? Here is the validation xml file: !DOCTYPE validators PUBLIC -//OpenSymphony Group//XWork Validator 1.0.2//EN http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd; validators field name=userName field-validator type=required messageUsername is required./message /field-validator /field field name=password field-validator type=required messagePassword is required./message /field-validator /field /validators Regards, Darren - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- 从我的移动设备发送 *Kun He* (or Raymond He) A Java Programmer Alibaba inc. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Problem with required validator
Thanks for the replies. I figured out what the problem was. My model in the action class is a member variable called user, so I needed to change the name of my form fields and validator fields to user.userName instead of just userName. 2010/10/5 Raymond He raymond.kk...@gmail.com: You can debug your app,and step in the required validator class'validation method. And check whether the value is populated . Maybe it'snull . 2010/10/5, Darren Karstens darrenkarst...@gmail.com: Hi, I have a xml validator for my user login action which requires values for both the userName and password fields. However when submit the form with these fields populated I still get the same Username is required and Password is required messages. Am I right in thinking that the required validator is triggered if no value is supplied for the field? If thats the case why would it be triggered when I supply values for those fields? Here is the validation xml file: !DOCTYPE validators PUBLIC -//OpenSymphony Group//XWork Validator 1.0.2//EN http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd; validators field name=userName field-validator type=required messageUsername is required./message /field-validator /field field name=password field-validator type=required messagePassword is required./message /field-validator /field /validators Regards, Darren - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- 从我的移动设备发送 *Kun He* (or Raymond He) A Java Programmer Alibaba inc. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Multipart/Form-Data with Struts 1
I have a legacy application using Struts 1.2.8 and I have the following HTML form: html:form action=/myAction.do method=post enctype=multipart/form-data html-el:textarea property=userEnteredHtml styleClass=tinyMCE styleId=tinymce/html-el:textarea /html:form If I include multiple blank lines in the tinyMCE editor, the generated HTML should be: pnbsp;/p However, IE posts the following HTML: p /p At first glance, I thought that this was exclusively a tinyMCE problem and I posted on their forum. However, the problem goes away when I remove the enctype=multipart/form-data from the html:form declaration. Does Struts 1 do anything unusual with the enctype multipart/form-data attribute? It does not seem that other tinyMCE editor users are experiencing this issue (since they probably aren't using Struts 1). Is there any alternative to using multipart/form-data? My form does include a file upload which is why I initially added the multipart/form-data. -- View this message in context: http://old.nabble.com/Multipart-Form-Data-with-Struts-1-tp2988p2988.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Multipart/Form-Data with Struts 1
If you're uploading a file, the form must be multipart. Which version of IE? Is it only under IE that it happens? Dave On Tue, Oct 5, 2010 at 10:16 AM, DavidZaz dzaze...@cait.org wrote: I have a legacy application using Struts 1.2.8 and I have the following HTML form: html:form action=/myAction.do method=post enctype=multipart/form-data html-el:textarea property=userEnteredHtml styleClass=tinyMCE styleId=tinymce/html-el:textarea /html:form If I include multiple blank lines in the tinyMCE editor, the generated HTML should be: pnbsp;/p However, IE posts the following HTML: p /p At first glance, I thought that this was exclusively a tinyMCE problem and I posted on their forum. However, the problem goes away when I remove the enctype=multipart/form-data from the html:form declaration. Does Struts 1 do anything unusual with the enctype multipart/form-data attribute? It does not seem that other tinyMCE editor users are experiencing this issue (since they probably aren't using Struts 1). Is there any alternative to using multipart/form-data? My form does include a file upload which is why I initially added the multipart/form-data. -- View this message in context: http://old.nabble.com/Multipart-Form-Data-with-Struts-1-tp2988p2988.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Multipart/Form-Data with Struts 1
Yes, it only occurs under Internet Explorer. I've reproduced with IE 7 and 8. Dave Newton-6 wrote: If you're uploading a file, the form must be multipart. Which version of IE? Is it only under IE that it happens? Dave On Tue, Oct 5, 2010 at 10:16 AM, DavidZaz dzaze...@cait.org wrote: I have a legacy application using Struts 1.2.8 and I have the following HTML form: html:form action=/myAction.do method=post enctype=multipart/form-data html-el:textarea property=userEnteredHtml styleClass=tinyMCE styleId=tinymce/html-el:textarea /html:form If I include multiple blank lines in the tinyMCE editor, the generated HTML should be: pnbsp;/p However, IE posts the following HTML: p /p At first glance, I thought that this was exclusively a tinyMCE problem and I posted on their forum. However, the problem goes away when I remove the enctype=multipart/form-data from the html:form declaration. Does Struts 1 do anything unusual with the enctype multipart/form-data attribute? It does not seem that other tinyMCE editor users are experiencing this issue (since they probably aren't using Struts 1). Is there any alternative to using multipart/form-data? My form does include a file upload which is why I initially added the multipart/form-data. -- View this message in context: http://old.nabble.com/Multipart-Form-Data-with-Struts-1-tp2988p2988.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- View this message in context: http://old.nabble.com/Multipart-Form-Data-with-Struts-1-tp2988p29887895.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Using ARIA with Struts tag
Can anyone tell me how we can write ARIA attribute in struts tag. I ma using Struts 1.3.8 Thanks Anjib
Reduce Java Script Depecency in Struts 2
Hi All, We've use Struts 2+Spring+Hibernate as our framework and use JSP as the UI. After we review the application, our application having quite a lot Java Script that cause certain form not working propertly in one of the browser. Any suggesstion how we can reduce Java Script in the JSP ? is the JQuery is a good option ? Best Regards Yanto
Re: Reduce Java Script Depecency in Struts 2
I changed to jQuery not long time ago and I have to say the system has improved its performance (I was using before the dojo plugin) as well as the code being cleaner. You'll still need to do some javascripting but using jQuery API that is, as said, cleaner. On Wed, Oct 6, 2010 at 10:05 AM, Yanto Bong yantob...@gmail.com wrote: Hi All, We've use Struts 2+Spring+Hibernate as our framework and use JSP as the UI. After we review the application, our application having quite a lot Java Script that cause certain form not working propertly in one of the browser. Any suggesstion how we can reduce Java Script in the JSP ? is the JQuery is a good option ? Best Regards Yanto
Re: Reduce Java Script Depecency in Struts 2
There is a project which integrated JQuery into Struts2... http://code.google.com/p/struts2-jquery/ The dojo plugin shipped with Struts 2 is too old... Hantsy 于 2010/10/6 11:28, Jose A. Corbacho 写道: I changed to jQuery not long time ago and I have to say the system has improved its performance (I was using before the dojo plugin) as well as the code being cleaner. You'll still need to do some javascripting but using jQuery API that is, as said, cleaner. On Wed, Oct 6, 2010 at 10:05 AM, Yanto Bongyantob...@gmail.com wrote: Hi All, We've use Struts 2+Spring+Hibernate as our framework and use JSP as the UI. After we review the application, our application having quite a lot Java Script that cause certain form not working propertly in one of the browser. Any suggesstion how we can reduce Java Script in the JSP ? is the JQuery is a good option ? Best Regards Yanto - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Reduce Java Script Depecency in Struts 2
I meant, yep, using the plugin provided for jQuery. On Wed, Oct 6, 2010 at 10:40 AM, Hantsy Bai han...@gmail.com wrote: There is a project which integrated JQuery into Struts2... http://code.google.com/p/struts2-jquery/ The dojo plugin shipped with Struts 2 is too old... Hantsy 于 2010/10/6 11:28, Jose A. Corbacho 写道: I changed to jQuery not long time ago and I have to say the system has improved its performance (I was using before the dojo plugin) as well as the code being cleaner. You'll still need to do some javascripting but using jQuery API that is, as said, cleaner. On Wed, Oct 6, 2010 at 10:05 AM, Yanto Bongyantob...@gmail.com wrote: Hi All, We've use Struts 2+Spring+Hibernate as our framework and use JSP as the UI. After we review the application, our application having quite a lot Java Script that cause certain form not working propertly in one of the browser. Any suggesstion how we can reduce Java Script in the JSP ? is the JQuery is a good option ? Best Regards Yanto - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org