Java Reference
In-Depth Information
<tr>
<td class="label"><s:label for="contact.lastName"/>
:
</td>
<td class="value">
${fn:escapeXml(actionBean.contact.lastName)}
</td>
</tr>
and so on for all other fields.
Second, we have to filter messages that are created by action beans and
contain values entered by the user, such as confirmation messages. If,
for example, we display “Message sent to Somebody” after the user has
sent an email, with the Somebody part being what the user entered in
the To field, it is vulnerable to XSS attacks. Stripes provides a helper
method,
HtmlUtil.encode
( ), to filter values before they are displayed:
getContext().getMessages().add(
getLocalizableMessage("messageSentTo",
HtmlUtil.encode(message.getTo())));
Filtering values with
${fn:escapeXml(value)}
and
HtmlUtil.encode
( ) protects
your application from XSS attacks.
14.3
Using Encryption
Let's take stock. We've controlled which properties are allowed to be
bound from request parameters and have filtered the values that are
entered by the user before displaying them to prevent harmful script-
ing. Next on our security to-do list: using encryption for sensitive data.
Hashing Passwords
The password is stored in the database in clear text. Not a good idea!
What we should do is hash the password before storing it in the data-
base. That way, it won't be usable if it falls into the wrong hands.
What we'll do is create a
PasswordTypeConverter
, which converts a clear-
text password into a hashed password. The type converter will not be
in an extension package, and we'll use it only on password fields via
@Validate(converter=PasswordTypeConverter.class)
. To hash the password,
we'll use Java's
MessageDigest
class and Stripes'
Base64
class.
Search WWH ::
Custom Search