• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

losing data when user enters form value with double quotes

 
Keri Mathis
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Problem: User fills out a form in my JSP page, uses double-quotes in the value, and once the servlet gets the data, it cuts it off at the double-quote.

Details:
JSP form field: If the user enters: John "Bear Wannabe" Johnson

The first thing my servlet does is call request.getParameterMap() (on HttpServletRequest). If I examine the map and find CurrentName field, the only value is: John. The rest gets cut off after the first double-quote.

Is this a common problem? If so, I could not find a common solution. Do I need to add a filter before the servlet does something? Does the JSP need to encoding all fields prior to submitting? Do I need a JavaScript routine? I've got about 100 fields, so I'm hoping for a possible solution where I don't need to validate each field individually by name.

Thanks.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65216
95
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should not have to do anything at all. The form submission will take care of all the proper encoding.

You'll need to show us the code that retrieves the value.

Are you sure there's not any JavaScript on the page mucking around with the value?
 
Keri Mathis
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, more info. JSP1 collects data via form - sample in first post. Submits to JSP2 which presents all the data prior to sending to Servlet. Here's some code from JSP2
In the JSP2 page, the data displays correctly as: John "Bear Wannabe" Johnson

MyController

When I break after this last line and examine the data in 'params' the entry for CurrentName only contains the String "John" (no quotes). Is encoding supposed to happen automatically, such that the Map should contain CurrentName=John \"Bear Wannabe\" Johnson?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65216
95
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What's with all the intermediary processing?

In any case, my current guess is that in the second JSP has sloppy markup such that missing quotes, or improperly encoded values, are causing markup errors that result in the data truncation.

Are all these intermediate somersaults necessary?
 
Keri Mathis
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JSP1 does go through quite a process to collect data dynamically, based on user input along the way, along with some validation.
JSP2 just takes all the data passed from JSP1, and formats it into a predefined document format using tables. That way the user can view the information prior to submitting to the database.

While it may not be ideal, this is a complicated form that I inherited, and has gone through quite a bit of testing. There's a lot of data fields, and the JSP2 format had to pass through our legal dept. So I'm not real free to completely redo it.

However, JSP2 really isn't doing a while lot besides (1) storing all variables in hidden fields, and (2) displaying the values on the screen. Then the form gets submitted as shown. If the quotes are in the text on the preview page, the hidden variables should function just like filling out a form and should be a straight-forward submit.

If this is supposed to work, I will create a sample HTTP form, and submit it to a sample servlet, and see if values with double-quotes make it through. My thinking was there was some basic processing that needed to be added to handle this scenario that I was missing.
 
Keri Mathis
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Resolved. The fix, in case it's ever useful to someone else:

JSP1 collects the data, and passes it to JSP2.
JSP2 stores the values as hidden variables, to allow the user to preview the form, then submits from there.
If the user entered a name like Larry “the Cucumber” Smith on JSP1, JSP2 does this: Which results in this on the page, and really results in just “Larry ” being the true value.

The new code adds this JSTL function using page variables:
Someone suggested using org.apache.commons.lang.StringEscapeUtils. I didn't explore this because it came after the fact, but I could not pass ${param.CurrentName} into any JavaScript function or variable, because it resolved the string prior to passing and then was an invalidly-formatted parameter to pass because of the extra quotes.
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's more than just the quotes you need to worry about. Any text you wish to display on your page needs to have all HTML special characters escaped. These include at least the quotes, left/right angle brackets and ampersand.
 
sagar powar
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can use some 3rd party API's like ESAPI to encode following characters in HTML.

& --> & amp;
< --> & lt;
> --> & gt;
" --> & quot;
' --> & #x27; ' is not recommended
/ --> & #x2F; forward slash is included as it helps end an HTML entity


Note: Single space is added purposefully, otherwise right hand side '& lt;' will get rendered as <.

Above html code can written as,



You can find more about ESAPI : http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic