• Post Reply Bookmark Topic Watch Topic
  • New Topic

Escaping HTML with Equivalent Entity References  RSS feed

 
Michael B Allen
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is the standard method for escaping special HTML characters?

For example, consider the following code fragment:

<input type="text" name="username" value="<% out.print(username); %>"/>

If username is supplied externally, such as via an HTTP parameter, the above is a security vulnerability. How would you write this so that any special HTML markup characters are escaped properly?

I see there is a tag library that has a <c:out> tag for this purpose but apparently my app server does not support it. Actually I'm just writing a few examples to go out with our new security library so it would not matter much if I could somehow enable <c:out> as I need to keep requirements to a minimum anyway.

Can someone share their code for replacing greater-than, less-than and quotes with their equivalent entity references? I have no problem writing something to do this (I've been doing Java for over 10 years but somehow I never found myself using the web stack) but I would imagine there must be a standard fragment of code that does this as it is basically required for even the most trivial web application.

Mike
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66158
146
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Join the 21st century and stop using scriptlets. Using the JSTL <c:out> tag will automatically encode HTML special characters.

I see there is a tag library that has a <c:out> tag for this purpose but apparently my app server does not support it

Unless its hopelessly antiquated, it does. You just need to configure it properly. See the JSP FAQ for details.

And that's not just any tag library, that's the JSTL (JSP Standard Tag Library) and you should be using it and the EL (Expression Language) rather than outdated scriptlets in your JSP pages.
 
Michael B Allen
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Join the 21st century and stop using scriptlets. Using the JSTL <c:out> tag will automatically encode HTML special characters.


I didn't realize I started using scriptlets. What are scriptlets? Are people now into "MVC frameworks" or something? Are Servlets and Servlet Filters still used?

I've been doing socket-level binary network programming for the last 10 years. I don't know anything about the web stack. Clue me in please. Can you point me to an exemplary project or blog or tutorial that illustrates how everyone is using the Java web stack in the 21st century?

Bear Bibeault wrote:
I see there is a tag library that has a <c:out> tag for this purpose but apparently my app server does not support it

Unless its hopelessly antiquated, it does. You just need to configure it properly. See the JSP FAQ for details.


Again, for the examples that come with our security library, I'm not looking for aesthetic purity. I need something that has a high probability of working in most environments. If <c:out> does not work with the latest stable release of Jetty (6.1.11) with default settings, then is what I'm doing really that antiquated?

Mike
 
Vikas Kapoor
Ranch Hand
Posts: 1374
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Scriptlets means Java Code in JSP.
This is what you have used. This is Scriptlets.
Scriptlets should be avoided because much better options are available like JSTL,EL.

Are people now into "MVC frameworks" or something?

Yeah.Many.

If <c:out> does not work with the latest stable release of Jetty (6.1.11) with default settings, then is what I'm doing really that antiquated?

You can look into specification of Jetty. I think it should be supporting JSTL/EL.
 
Michael B Allen
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Vishal Pandya wrote:
If <c:out> does not work with the latest stable release of Jetty (6.1.11) with default settings, then is what I'm doing really that antiquated?

You can look into specification of Jetty. I think it should be supporting JSTL/EL.


Nevermind. After some fiddling I see I just needed a taglib declaration. Jetty 6 supports <c:out/> by default just fine.

Thanks,
Mike
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66158
146
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Michael B Allen wrote:I didn't realize I started using scriptlets. What are scriptlets?
As pointed out, anything enclosed in <% and %>. They're a recipe for disaster and are now considered a poor practice.

Are people now into "MVC frameworks" or something?

MVC is the accepted pattern (or more correctly "Model 2" which is an MVC-approximation with the limitations of HTTP accounted for).

Frameworks are not necessary, though they are very popular. (Though not with me.) You don't need to use a framework to follow the pattern.

Are Servlets and Servlet Filters still used?

Absolutely!

Can you point me to an exemplary project or blog or tutorial that illustrates how everyone is using the Java web stack in the 21st century?

Make sure any examples, tutorials or other resources you use focus on JSP 2.0 with the JSTL and EL. Anything that uses scriptlets (those <% ... %> thingies) is out of date or poor (or both).

 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!