Win a copy of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

Evaluate multiple fn:contains to check special characters

 
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Team,

How to verify the string value accountName contains of any of the below special characters using fn:contains JSTL function.

& ( ) % " =

If any of these characters are available in accountName then we need to use the fn:replace to replace the special character with space. Please let know how we can evaluate multiple fn:contains to check multiple special characters in JSP.

Thanks in advance
 
Sheriff
Posts: 67620
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why do you need to check first?
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
we need to check the passed input accountName is having any of these special characters?

& ( ) % " =

if it is there , replace these characters with space.
 
Bear Bibeault
Sheriff
Posts: 67620
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Again, why do you need to check?

Just call the replace and let it do its thing. If there aren't any character to replace, it won't do anything.
 
Sheriff
Posts: 26963
84
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No. You just need to replace any of those characters which are in the string by spaces.

Let me spell it out in basic terms if you still don't get it. You don't need to say

"If there's any &s in the string, then replace the &s by spaces."

You just need to say

"Replace the &s in the string by spaces."

If there weren't any, then nothing will happen. It's not going to throw an exception and bring your system down.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes right we need to replace the special characters in the input with space and i need to do it only when the input is having the special characters , if not leave it as it is , else replace with space and reload the page to ensure URL is updated with input which doesn't contains these special characters.

Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

This is what i am looking at.

Thanks
 
Bear Bibeault
Sheriff
Posts: 67620
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You do not seem to be getting the point: you do not need to perform a check. If there are no characters to change, the replace operation will leave everything as is. The check is pointless and useless.
 
Paul Clapham
Sheriff
Posts: 26963
84
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:The check is pointless and useless.



It's actually worse than useless, it's a waste of time. It's quicker to just do the delete by itself.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, but when we are replacing the spl characters with replace it should reload the page  to ensure the URL is updated accordingly with no special characters like below. For that atleast i need to do a conditional check with fn:contains right? else how i can reload the page if there are special char in the request param (accountName)? please clarify.

Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1
 
Paul Clapham
Sheriff
Posts: 26963
84
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't understand the idea that a JSP can "reload" a page. The purpose of a JSP is to write a page; in your example your JSP should replace the special characters with blanks as part of the page-generating process. If there aren't any special characters it still has to generate and write the page.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks,Page reload (redirect) is needed for the base URL to get updated without spl characters if there is one when it is invoked initially? Without page reload whether the URL will get updated without spl characters?


Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below ,

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

are you telling without page reload also it is fine, there is no need to reaload/redirect the page with the updated request param . For example the below will replace the special char in accountName input passed to the page

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>

and this accountName will be passed to the other links in the same page. Thats it there is no need to redirect the page to the same accountDisplay.jsp with the accountName displayed without spl characters so  it is not susceptible to XSS? it will be like,

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>
Redirect to -> <Redirect:XXX name="url" value="/test/xxx/accountDisplay?accountName=${accountName}" />

Please clarify here the reload is not needed and why?




 
Bear Bibeault
Sheriff
Posts: 67620
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rithanya Laxmi wrote:
Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%


Where does this URL come from in the first place? Why aren't the special characters removed before it even becomes a link?
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This URL is getting invoked by the security team for testing by passing the special characters to check the code prevents XSS attacks, so this URL is invoked directly which in any case wont happen in a real time scenario , but here since the security team has reported the issue by directly invoking the URL we need to replace these spl char with space

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%.

For that only i am using the below

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>
Redirect to -> <Redirect:XXX name="url" value="/test/xxx/accountDisplay?accountName=${accountName}" />

Please let me know this reload is still needed here?
 
Bear Bibeault
Sheriff
Posts: 67620
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That seems crazy to me. If the account name is invalid, an error should be thrown.

By trying to adjust an invalid account name to a valid one, you are actually decreasing the security of your app.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But throwing an error message is not a part of the requirement for this direct URL invocation, which you mentioned is correct , but this is an interim solution we are looking at hence the idea is to replace the special characters in the accountName passed and adjust it to make it valid as you pointed out and that is the requirement for this functionality. Please let me know reload of the page makes a difference here?
 
reply
    Bookmark Topic Watch Topic
  • New Topic