• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How do you protect your JSP under Struts?

 
Ranch Hand
Posts: 172
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What is the best strategy to protect JSP pages from malicious form input?

Suppose someone enter things like <tr> or <td> in the text field on your form and later you dispaly this values into table tag on your JSP. This will break apearance of the table.

Do I have to use Validator+RegExp filtering to prevent malicious input, or the is "something" already built-in in Struts?
 
Ranch Hand
Posts: 995
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think that a good idea would be to use the validator part of Struts for this (in many cases this should come directly from your project specs).

./pope
 
Velika Srbija
Ranch Hand
Posts: 172
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, I was sure answer will sound something like that.
But I spent whole night trying to write RegExp that would prevent characters like: < > / \ & : + %

Could someone help with this?
 
Alexandru Popescu
Ranch Hand
Posts: 995
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It should look something like


escaping in the above the needed symbols (excluding ^: the negation).

./pope
[ October 28, 2004: Message edited by: Ali Pope ]
 
Ranch Hand
Posts: 1312
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think, you should use encode() method of java script.

this method change data like this

<td> change to %3Ctd%3E
[ October 28, 2004: Message edited by: somkiat puisungnoen ]
 
somkiat puisungnoen
Ranch Hand
Posts: 1312
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Velika Srbija:
Yes, I was sure answer will sound something like that.
But I spent whole night trying to write RegExp that would prevent characters like: < > / \ & : + %

Could someone help with this?



I think , Solution to prevent input character is not good solution.

you should be changed special character to another format...
 
Velika Srbija
Ranch Hand
Posts: 172
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Preventing input characters with Validator is something that currently fit my needs.
Ali Pope, I have already tried "[^<>/\&:+%]+" combination, and that doesn't work (xml parser error).
Using escape characters doesn't work too. I think, it is besause Validator doesn't use java.util.regex, but instead it uses org.apache.regexp.RE.
So, escaping seem to work differently. Please try yourself and tell me if I was wrong.?
 
Alexandru Popescu
Ranch Hand
Posts: 995
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Velika I don't have currently access at the said jar. What I suggest you to do (as always with regexps) is to start adding characters 1 by 1. This way you will be able to find out the solution.

./pope
 
Velika Srbija
Ranch Hand
Posts: 172
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
An * works fine. The big problem is with &.
 
Alexandru Popescu
Ranch Hand
Posts: 995
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i think the regexp should look:
[^<>/\\&:\+%]+ or [^<>/\\&:+%]+ (escape the \ and +, espcape only the \).

In case you are sure that Jakart Regexp is used by Struts you can play with
this applet.

./pope
 
Velika Srbija
Ranch Hand
Posts: 172
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK. I have tried an applet and suggested regexp is OK. Inserting forbidden character causes trimming operatin. It is generally OK.

Now it seems that putting regexp into validation.xml file causes XML parser to fail due to urecognized chars (like &). Escaping doesn't help at all. Not quite sure, but it has something with XML syntax. Gonna try that way!
 
Alexandru Popescu
Ranch Hand
Posts: 995
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Inside the XML you should use entities for

and so on (without spaces ), otherwise the XML file is not valid. (you can use the initial characters onyl if the value is set through an entity attribute).

./pope
[ October 29, 2004: Message edited by: Ali Pope ]
 
Velika Srbija
Ranch Hand
Posts: 172
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a solution.
This way JavaScript validation works well.
...
<msg name="mask" key="error.bad.chars"/>
<var>
<var-name>mask</var-name>
<var-value>^[^<>\\/&|%?]+$</var-value>
</var>
...

and in the resources.properties:
...
error.bad.chars=Not allowed chars: < > \\ / & | % ?
...

Another problem.!
JavaScript use to alert the message: "Not allowed chars: < > / & | % ?"
As you can see there is no \ char. How is that possible?

Note: server-side validation works perfectly. Generated message is OK (i.e. complete).
 
Alexandru Popescu
Ranch Hand
Posts: 995
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think in properties file you do not have to escape \.


The method does not treat a backslash character, \, before a non-valid escape character as an error; the backslash is silently dropped.



API for java.util.Properties.load(InputStream)

./pope
 
Velika Srbija
Ranch Hand
Posts: 172
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No.
Double backslash in resources.properties is important.
Server-side validation (e.g. Java-side) will display single backslash as expected, but client-side JavaScript will dispaly nothing.
 
reply
    Bookmark Topic Watch Topic
  • New Topic