An interceptor is still a reasonable solution. But not having a form on each page doesn't really seem like a big deal--just escape any request parameters; no form, no parameters, no problem.
Dave On Mon, Oct 4, 2010 at 11:55 AM, Pars Man <parsmani...@yahoo.de> wrote: > I don't want to use HDIV because: > 1. i do not know muc about it (yet) > 2. seems to be "heavy weight" - I don't need all of its capabilities > > But I have the feeling you know more about HDIV. As far as I know HDIV also > changes urls, which I also don't want. > I just want to make my html forms secure against xss and nothing else. and > of > courese i fo not have a form on on every page... > > Pars > > > > ----- Ursprüngliche Mail ---- > Von: Dave Newton <davelnew...@gmail.com> > An: Struts Users Mailing List <user@struts.apache.org> > Gesendet: Freitag, den 1. Oktober 2010, 14:46:03 Uhr > Betreff: Re: Best Practices for handling of XSS attacks > > An interceptor seems like a reasonable solution. Why don't you want to use > HDIV? > > Dave > > On Fri, Oct 1, 2010 at 3:15 AM, Pars Man <parsmani...@yahoo.de> wrote: > > > Hi, > > > > I am currently checking the web to find something about how to handle XSS > > attacks in my Struts2 application. > > Unfortunately I just cannot find anything. > > > > I do not want to use HDIV (http://www.hdiv.org/) or the HDIV-Plugin > > (https://cwiki.apache.org/S2PLUGINS/home.html). > > > > What I thought of is an Interceptor that escapes the special characters > of > > all > > parameters that are sent, i.e. by using StringEscapeUtils which is > included > > in > > commons-lang.jar > > (see > http://www.mkyong.com/java/how-to-escape-special-characters-in-java/ > > ). > > > > 1. How would you manage such a requirement? > > 2. What are the Best Practices? > > 3. Would you use an Interceptor and if yes how would it look like? > > 4. What options do I have? > > 5. What are the pros and cons? > > > > Thanks > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
