Uday, I'm afraid you maybe mistaken on at least one of your points. At least the HTML taglib makes sure that all values are filtered to prevent cross-site scripting by parsing <> and other characters. Here is a code snippet from (I think) the nightly build. I'm not sure about versions before Struts v1.2.X variants:
http://svn.apache.org/viewcvs.cgi/struts/trunk/src/share/org/apache/struts/t aglib/html/BaseFieldTag.java?rev=54929&view=auto /** * Return the given value as a formatted <code>String</code>. This * implementation escapes potentially harmful HTML characters. * * @param value The value to be formatted. <code>null</code> values will * be returned as the empty String "". * * @throws JspException if a JSP exception has occurred * * @since Struts 1.2 */ protected String formatValue(Object value) throws JspException { if (value == null) { return ""; } return TagUtils.getInstance().filter(value.toString()); } Perhaps you should upgrade your Struts deployment to avoid duplicating work for yourself. (IMHO) Regards, David -----Original Message----- From: Seetamraju, Uday [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 2:01 PM To: Struts Users Mailing List Cc: [EMAIL PROTECTED] Subject: RE: hacker-proofing Struts-based exposed websites Sure. I never mentioned that I was adding totally new functionality to struts. if you feel comfortable typing in struts validations in each and every form class of each and every application, who can stop you? And you are also quite free to edit each and every one of them should you you want to add a new kind of check to your forms. Even if you choose to use the struts-config approach, you are equally free to edit each and every validator expression for each <form...> in all struts-config files. I still do not understand how null-character validation can be done via the validator. Even if that was possible, ... ...., all such validation dumps control back to the JSP with the invalid hacker input values (that's a no-no -- checkout Cross-site Scripting hacker attacks). Basically from the little response I got, I figure that people haven't had to add atleast some amount of antihacker security to their applications. This was my first external site, -- all my life I only did intranet apps. Optimistically thought I would find people who have been through something similar with Struts. Thanks -----Original Message----- From: Matt Bathje [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 03, 2004 11:22 AM To: Struts Users Mailing List Cc: [EMAIL PROTECTED] Subject: Re: hacker-proofing Struts-based exposed websites Maybe I should wait for other commentary on this because I'm probably missing something...but after scanning your page for a bit, I'm not getting it...I don't see what this adds to the built in struts validators, especially required and maxlength. (Or alternatively, I don't see why it is better than them.) .......... Can you maybe expand (here or in the text of your document) on the advantages over the built in validations? How is this better for security than just making a field required,maxlength,invalidCharacter in the validator framework? .......... Thanks, Matt --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -------------------------------------------------------- The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. Thank you, Standard & Poor's -------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
