Java Reference
In-Depth Information
When the user.firstName parameter comes in, Stripes sees that the prop-
erty does not match the allow list or the deny list and is not validated.
Since defaultPolicy=Policy.DENY , user.firstName is denied. Instead, we must
either specify the allow= list as we did before or change the default
policy:
@StrictBinding(defaultPolicy=Policy.ALLOW, deny="user.activated")
Remember that validated values are allowed by default, so think of
them as being implicitly added to the allow= list of properties.
Another tidbit: when indicating more than one property in either of
allow= or deny= , we can use a list of strings as in the previous examples,
or we can use one string that contains the comma-separated list of
properties. So, these two are equivalent:
@StrictBinding(allow={"user.firstName", "user.lastName"})
or
@StrictBinding(allow="user.firstName, user.lastName")
Finally, be aware that to prevent security issues, using * and ** can-
not be used with partial strings. For example, we might be tempted to
use allow="user.*Name" to match user.firstName and user.lastName or to use
allow="user.info**" to match all properties and nested properties that start
with info . Those types of patterns won't work and will just be ignored.
Using @DontBind
We already know that @DontValidate shuts off all validations, which is
useful for such event handlers as those associated with Cancel but-
tons. Although no validations error occurs, parameter binding is nev-
ertheless attempted when we use @DontValidate . For extra security, we
can block all binding for an event handler by annotating it with @Dont-
Bind . This skips the BindingAndValidation life-cycle stage altogether, and
when the event handler is called, all request parameters are ignored.
Note that @DontBind implies @DontValidate , so there's no need to use
both annotations on the same event handler.
14.2
Preventing Cross-site Scripting Attacks
Let's move on to another security issue. Cross-site scripting (XSS) at-
tacks consist of ill-intentioned users submitting scripts in input fields
so that when the values are displayed, the scripts are executed.
 
 
 
Search WWH ::




Custom Search