Java Reference
In-Depth Information
Right now, the webmail application is vulnerable to such attacks. For
example, if we go to the contact form and use the “Last name” field to
enter this:
<script> alert('Oh no!') </script>
we'll see an “Oh no!” message pop up every time the contact is dis-
played in the contact list or contact view pages. Not good. Allowing such
markup not only makes an application vulnerable to serious attacks
but can also wreck a page's presentation when a user, even well-
intentioned, makes a mistake in using formatting tags. For example,
imagine what happens if a page that displays user-submitted com-
ments is sent this input:
I <b> really like your website!
The user forgot to close the bold tag, causing everything after that com-
ment to be displayed in bold!
Fortunately, XSS attacks and other markup-related headaches are
fairly easy to prevent. The idea is to always filter user-entered values
before displaying them. The filter escapes any HTML markup so that
the following, for example,
<script> alert('Oh no!') </script>
becomes this:
&lt;script&gt;alert('Oh no!')&lt;/script&gt;
and so is displayed correctly and harmlessly.
First, there is the escapeXml ( ) method in the functions part of the stan-
dard JSP tag library:
<%@taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
${fn:escapeXml(value)}
This filters the contents of value before displaying it. To prevent XSS
attacks in our JSPs, we just need to wrap user-entered values within
fn:escapeXml ( ). For example, in the contact view page:
Download email_34/web/WEB-INF/jsp/contact_view.jsp
<tr>
<td class="label"><s:label for="contact.firstName"/> : </td>
<td class="value">
${fn:escapeXml(actionBean.contact.firstName)}
</td>
</tr>
 
 
Previous Page
Next Page
Stripes...and Java Web Development is Fun Again
Search WWH ::




Custom Search
Home