Java Reference
In-Depth Information
Right now, the webmail application is vulnerable to such attacks. For
example, if we go to the contact form and use the “Last name” field to
enter this:
<script>
alert('Oh no!')
</script>
we'll see an “Oh no!” message pop up every time the contact is dis-
played in the contact list or contact view pages. Not good. Allowing such
markup not only makes an application vulnerable to serious attacks
but can also wreck a page's presentation when a user, even well-
intentioned, makes a mistake in using formatting tags. For example,
imagine what happens if a page that displays user-submitted com-
ments is sent this input:
I
<b>
really like your website!
The user forgot to close the bold tag, causing everything after that com-
ment to be displayed in bold!
Fortunately, XSS attacks and other markup-related headaches are
fairly easy to prevent. The idea is to always filter user-entered values
before displaying them. The filter escapes any HTML markup so that
the following, for example,
<script>
alert('Oh no!')
</script>
becomes this:
<script>alert('Oh no!')</script>
and so is displayed correctly and harmlessly.
First, there is the
escapeXml
( ) method in the functions part of the stan-
dard JSP tag library:
<%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
${fn:escapeXml(value)}
This filters the contents of
value
before displaying it. To prevent XSS
attacks in our JSPs, we just need to wrap user-entered values within
fn:escapeXml
( ). For example, in the contact view page:
<tr>
<td class="label"><s:label for="contact.firstName"/>
:
</td>
<td class="value">
${fn:escapeXml(actionBean.contact.firstName)}
</td>
</tr>
Search WWH ::
Custom Search