Hello all,
I'm in the process of trying to secure my struts application against "Cross site
scripting", "SQL injection" style attacks.
One of the things I'm doing to prevent this is trying to restrict special characters
(;.<>(){}...etc) getting beyond the validator.
At the moment I'm using the validator plugin, within my validation.xml I use the
"mask" validator with the regular expression;
.....
<var-name>mask</var-name>
<var-value>^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$</var-value>
.....
1. Does anyone know the syntax for also preventing < > & within the regular expression
bearing in mind its declared in XML?
Or is there some kind of default validator that does this?
2. Some of my action functions also take input in the url as a GET which does not go
through the Validator, this is then used to access a DB, these also need to be
secured. Obviously I can do this within each individual Action class, but where would
be the best single place I could stop characters like < > ; & ever getting as far as
the Action classes?
Any other suggestions would be much appreciated, as I couldn't find very much related
to securing struts applications
many thanks in advance
regards
James
