Java Reference
In-Depth Information
When the
user.firstName
parameter comes in, Stripes sees that the prop-
erty does not match the allow list or the deny list and is not validated.
Since
defaultPolicy=Policy.DENY
,
user.firstName
is denied. Instead, we must
either specify the
allow=
list as we did before or change the default
policy:
@StrictBinding(defaultPolicy=Policy.ALLOW, deny="user.activated")
Remember that validated values are allowed by default, so think of
them as being implicitly added to the
allow=
list of properties.
Another tidbit: when indicating more than one property in either of
allow=
or
deny=
, we can use a list of strings as in the previous examples,
or we can use one string that contains the comma-separated list of
properties. So, these two are equivalent:
@StrictBinding(allow={"user.firstName", "user.lastName"})
or
@StrictBinding(allow="user.firstName, user.lastName")
Finally, be aware that to prevent security issues, using
*
and
**
can-
not be used with partial strings. For example, we might be tempted to
use
allow="user.*Name"
to match
user.firstName
and
user.lastName
or to use
allow="user.info**"
to match all properties and nested properties that start
with
info
. Those types of patterns won't work and will just be ignored.
Using @DontBind
We already know that
@DontValidate
shuts off all validations, which is
useful for such event handlers as those associated with
Cancel
but-
tons. Although no validations error occurs, parameter binding is nev-
ertheless attempted when we use
@DontValidate
. For extra security, we
can block all binding for an event handler by annotating it with
@Dont-
Bind
. This skips the
BindingAndValidation
life-cycle stage altogether, and
when the event handler is called, all request parameters are ignored.
Note that
@DontBind
implies
@DontValidate
, so there's no need to use
both annotations on the same event handler.
14.2
Preventing Cross-site Scripting Attacks
Let's move on to another security issue. Cross-site scripting (XSS) at-
tacks consist of ill-intentioned users submitting scripts in input fields
so that when the values are displayed, the scripts are executed.
Search WWH ::
Custom Search