Hi,
I guess you can validate whatever you want by providing your own
ActionBeanPropertyBinder :
net.sourceforge.stripes.controller.ActionBeanPropertyBinder
I think it can be done very easily by overriding a single method in there,
maybe :
It's true that c:out or ${fn:escapeXml(whatever)} offers protection
against XSS attacks involving injected HTML/XML markup, but that's not
really enough on the client side. If user-tainted content is emitted
into a JavaScript context, then it has to be protected differently
(most effectively, with
Hi everyone,
Does Stripes have an easy way to remove HTML from user input to prevent XSS
attacks? I've googled with no success.
Thanks,
--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
XSS is part of a wider class of attacks (like SQL injection) that are
more *output* problems than input problems. There are solutions in the
JSP world for escaping content in HTML/XML contexts, just as there are
solutions for protecting queries from user-supplied data in the SQL
world.
On Tue,
Escaping html?
http://tinyurl.com/p7cymrs
On Tue, Oct 14, 2014 at 1:53 PM, Adam Stokar ajsto...@gmail.com wrote:
Hi everyone,
Does Stripes have an easy way to remove HTML from user input to prevent
XSS attacks? I've googled with no success.
Thanks,
I've been using this one https://github.com/StripesFramework/stripes-xss
quite successfully; I have it modified a bit to serve more complex use
case of having more relaxed rules for some URL-field name combinations
(e.g. those that I KNOW have CKEditor on them).