• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Junilu Lacar
  • Martin Vashko
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Scott Selikoff
  • salvin francis
  • Piet Souris

Evaluate multiple fn:contains to check special characters

 
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Team,

How to verify the string value accountName contains of any of the below special characters using fn:contains JSTL function.

& ( ) % " =

If any of these characters are available in accountName then we need to use the fn:replace to replace the special character with space. Please let know how we can evaluate multiple fn:contains to check multiple special characters in JSP.

Thanks in advance
 
Marshal
Posts: 67313
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why do you need to check first?
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
we need to check the passed input accountName is having any of these special characters?

& ( ) % " =

if it is there , replace these characters with space.
 
Bear Bibeault
Marshal
Posts: 67313
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Again, why do you need to check?

Just call the replace and let it do its thing. If there aren't any character to replace, it won't do anything.
 
Sheriff
Posts: 24761
59
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. You just need to replace any of those characters which are in the string by spaces.

Let me spell it out in basic terms if you still don't get it. You don't need to say

"If there's any &s in the string, then replace the &s by spaces."

You just need to say

"Replace the &s in the string by spaces."

If there weren't any, then nothing will happen. It's not going to throw an exception and bring your system down.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes right we need to replace the special characters in the input with space and i need to do it only when the input is having the special characters , if not leave it as it is , else replace with space and reload the page to ensure URL is updated with input which doesn't contains these special characters.

Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

This is what i am looking at.

Thanks
 
Bear Bibeault
Marshal
Posts: 67313
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You do not seem to be getting the point: you do not need to perform a check. If there are no characters to change, the replace operation will leave everything as is. The check is pointless and useless.
 
Paul Clapham
Sheriff
Posts: 24761
59
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Bear Bibeault wrote:The check is pointless and useless.



It's actually worse than useless, it's a waste of time. It's quicker to just do the delete by itself.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, but when we are replacing the spl characters with replace it should reload the page  to ensure the URL is updated accordingly with no special characters like below. For that atleast i need to do a conditional check with fn:contains right? else how i can reload the page if there are special char in the request param (accountName)? please clarify.

Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1
 
Paul Clapham
Sheriff
Posts: 24761
59
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't understand the idea that a JSP can "reload" a page. The purpose of a JSP is to write a page; in your example your JSP should replace the special characters with blanks as part of the page-generating process. If there aren't any special characters it still has to generate and write the page.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks,Page reload (redirect) is needed for the base URL to get updated without spl characters if there is one when it is invoked initially? Without page reload whether the URL will get updated without spl characters?


Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below ,

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

are you telling without page reload also it is fine, there is no need to reaload/redirect the page with the updated request param . For example the below will replace the special char in accountName input passed to the page

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>

and this accountName will be passed to the other links in the same page. Thats it there is no need to redirect the page to the same accountDisplay.jsp with the accountName displayed without spl characters so  it is not susceptible to XSS? it will be like,

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>
Redirect to -> <Redirect:XXX name="url" value="/test/xxx/accountDisplay?accountName=${accountName}" />

Please clarify here the reload is not needed and why?




 
Bear Bibeault
Marshal
Posts: 67313
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rithanya Laxmi wrote:
Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%


Where does this URL come from in the first place? Why aren't the special characters removed before it even becomes a link?
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This URL is getting invoked by the security team for testing by passing the special characters to check the code prevents XSS attacks, so this URL is invoked directly which in any case wont happen in a real time scenario , but here since the security team has reported the issue by directly invoking the URL we need to replace these spl char with space

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%.

For that only i am using the below

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>
Redirect to -> <Redirect:XXX name="url" value="/test/xxx/accountDisplay?accountName=${accountName}" />

Please let me know this reload is still needed here?
 
Bear Bibeault
Marshal
Posts: 67313
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That seems crazy to me. If the account name is invalid, an error should be thrown.

By trying to adjust an invalid account name to a valid one, you are actually decreasing the security of your app.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But throwing an error message is not a part of the requirement for this direct URL invocation, which you mentioned is correct , but this is an interim solution we are looking at hence the idea is to replace the special characters in the accountName passed and adjust it to make it valid as you pointed out and that is the requirement for this functionality. Please let me know reload of the page makes a difference here?
 
We're all out of roofs. But we still have tiny ads:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!