• Post Reply Bookmark Topic Watch Topic
  • New Topic

i18n JSPs

 
Darren Edwards
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
EDIT: in the middle of typing this message a solution dawned on me, but there may be a slicker way?

I'm doing some i18n work and I have



The localised message file for english contains



I want to keep the HTML escaping as performed by cut, but I'm not sure how to do it.

EDIT: working solution
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To be honest I'm not sure what you are asking, but the following may be the answer:

${fn:escapeXml(value)}
 
Darren Edwards
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To elaborate on the problem:

cut does xml escaping by default, which helps protect my application from cross site scripting vulnerabilities, i.e. a user changes the name of object to <script>alert('xss');</script>

When i18n my application I don't want to lose that feature and use


I tried the following, but it's invalid.


Which is why I went for the solution with c:set, just it seems a bit clunky.

Assuming the following is valid, it will be a more readable solution, so thanks.

[ October 06, 2007: Message edited by: Darren Edwards ]
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When i18n my application I don't want to lose that feature and use
Since the mesasges are coming from a properties file rather than user input, why are you thinking that they are vulnerable to an XSS attack?
 
Darren Edwards
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Bear Bibeault:
Since the mesasges are coming from a properties file rather than user input, why are you thinking that they are vulnerable to an XSS attack?


Because the message in question is parameterised



and {0} is replaced by an object who's name attribute can be updated by a user. Perhaps it would have been clearer if I hadn't of tried to generalise the question so much. In my case the object is a course (as in a training course) and the JSTL section to i18n is

 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ah yes, any parameter coming from untrusted sources should be cleansed prior to use.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!