I have been working on a project for which I need to do the HTML escaping/encoding to prevent XSS. My project has 2 modules. One is in Spring and the other in Struts. For Spring module I can easily achive this without modifying JSPs by setting the 'defaultHtmlEscape' to true in Web.xml context parameter.
However, for Struts module is there a similar way where I can configure html encoding is required or not.
Currently, for Struts module I am planning to use "StringEscapeUtils.escapeHtml" of apache for Struts module fields.
Also, I saw in some projects that the html encoding is done for even "<font colour" values. Please let me know which are all the fileds I need to encode.
Nagesh Hebbar wrote:Also, I saw in some projects that the html encoding is done for even "<font colour" values. Please let me know which are all the fileds I need to encode.
Wouldn't it make more sense to ask about specific tags, attributes, etc. in the HTML forum?
In any case, I usually just make an S2 interceptor that does tag stripping, and I usually just use esapeHtml, but it depends on what I actually need to do.
*Which* tags is a completely separate issue, and more complex than you think, since you might also need to scrub even handler attributes and so on.
posted 9 years ago
Regarding your first question, I did post this question in HTML forum. But, later this post was moved here.
As far as using "S2 interceptor that does tag stripping", I believe this is done at the server side. If that is the case, then it will not resolve my problem because, whenever user enters some malicious input, it will executed at the browser side before coming to the server side.
So, what I need is to encode the html special chars like "<&>" to "<,&, >" while we output to the browser. I know that for Spring framework, we can easily configure this in Web.xml. So, I was wondering whether there is something similar in Struts framework as well.
Nagesh Hebbar wrote:If the user(or attacker) submits, the alert message will be displayed on the browser.
That's what you said. But that is not true: XSS is on display, not on submit. I replied to what you actually said.
If you're already using c:out to escape, then what's your actual question?
posted 9 years ago
That is the best example I could come up with. And for that reason only I need to do HTML encoding for the fields.
P.S. I am not using <c:out>. I just gave you an example that if we use <c:out> the value will be html encoded.
My problem is I have an existing application which is not using <c:out> for display and it is in Struts framework. now, for encoding all the fields, I need to do it in all JSPs. Thats the reason I asked whether there is some configuration in Struts framework to enable HTML encoding similar to Spring Framework.
But it's not an example of what you're talking about; you're talking about XSS but had said it would be executed on submit, which isn't the case.
In any case, no, there's no global setting for that in Struts (which makes sense to me, since I might not *want* to always escape/not-escape values). The <s:property> tag has an escape attribute; if you're just using JSP EL you'll have to escape it on input, or before it gets to the view (which could also be done via an interceptor).