• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Curious as to why javascript executes if stored in session from form field.

 
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I have a simple form that submits to a JSP. If I enter some javascript:
( exactly as shown below, including quotes )

"'><script>alert("hi there")</script><'"

into a form field, and attempt to store the value of that param in the session, the javascript executes.

I'm just wondering if someone could tell me why this happens.
We use JRUN 3.X

Any info will be greatly appreciated.

Thanks in advance,
-Brasskey
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you emitting this anywhere on the target JSP?

Btw, this is a textbook case of why one should:

1) Never trust anything coming in from the client

2) Never submit directly to a JSP page
 
Bill Brasskey
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The JSP that the form submits to doesn't display anything, it only processes the form. The submitting page is where the session values are printed to the screen, if they are present.
 
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
when a client side page renders, it executes in order. When it sees script tags it performs the action. An example of having a script tag inside a form would be to use a document.write statement to add a value.

If you do not want it to firs, you are going to have to escape the <> signs.

Eric
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If that string is sent to any page, it will execute upon display.

Again, never trust any text entered by a client. As Eric pointed out, you should always escape any customer-entered text that you will display. It protects against accidentally breaking your page because someone entered script or "</html>" for their data, or against malicious attacks.

The easiest way to accomplish this, assuming JSP 2.0, it to use the <c:out> tag (which escapes its output, by default), or the JSTL 1.1 fn:escapeXml() function.

Prior to JSP 2.0, it's fairly easy to write a custom tag that does likewise, or use the <c:out> tag from JSTL 1.0.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic