Hello all, I'm in the process of trying to secure my struts application against "Cross site scripting", "SQL injection" style attacks.
One of the things I'm doing to prevent this is trying to restrict special characters (;.<>(){}...etc) getting beyond the validator. At the moment I'm using the validator plugin, within my validation.xml I use the "mask" validator with the regular expression; ..... <var-name>mask</var-name> <var-value>^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$</var-value> ..... 1. Does anyone know the syntax for also preventing < > & within the regular expression bearing in mind its declared in XML? Or is there some kind of default validator that does this? 2. Some of my action functions also take input in the url as a GET which does not go through the Validator, this is then used to access a DB, these also need to be secured. Obviously I can do this within each individual Action class, but where would be the best single place I could stop characters like < > ; & ever getting as far as the Action classes? Any other suggestions would be much appreciated, as I couldn't find very much related to securing struts applications many thanks in advance regards James