• Post Reply Bookmark Topic Watch Topic
  • New Topic

Curious as to why javascript executes if stored in session from form field.  RSS feed

 
Bill Brasskey
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a simple form that submits to a JSP. If I enter some javascript:
( exactly as shown below, including quotes )

"'><script>alert("hi there")</script><'"

into a form field, and attempt to store the value of that param in the session, the javascript executes.

I'm just wondering if someone could tell me why this happens.
We use JRUN 3.X

Any info will be greatly appreciated.

Thanks in advance,
-Brasskey
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you emitting this anywhere on the target JSP?

Btw, this is a textbook case of why one should:

1) Never trust anything coming in from the client

2) Never submit directly to a JSP page
 
Bill Brasskey
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The JSP that the form submits to doesn't display anything, it only processes the form. The submitting page is where the session values are printed to the screen, if they are present.
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
when a client side page renders, it executes in order. When it sees script tags it performs the action. An example of having a script tag inside a form would be to use a document.write statement to add a value.

If you do not want it to firs, you are going to have to escape the <> signs.

Eric
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If that string is sent to any page, it will execute upon display.

Again, never trust any text entered by a client. As Eric pointed out, you should always escape any customer-entered text that you will display. It protects against accidentally breaking your page because someone entered script or "</html>" for their data, or against malicious attacks.

The easiest way to accomplish this, assuming JSP 2.0, it to use the <cut> tag (which escapes its output, by default), or the JSTL 1.1 fn:escapeXml() function.

Prior to JSP 2.0, it's fairly easy to write a custom tag that does likewise, or use the <cut> tag from JSTL 1.0.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!