Announcement Announcement Module
Collapse
No announcement yet.
Spring - cross site scripting Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring - cross site scripting

    Hi,

    How to handle cross side scripting in spring globally in a page or at application level.
    If we want to individually handle in form we can make htmlEscape true in each filed but what If we want to make it globally true once for a page..

    Please help....

    Regards,
    Last edited by buntyindia; Oct 10th, 2008, 12:00 AM.

  • #2
    While Searching on the net...i get following


    In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.

    * At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:

    <context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
    </context-param>
    * At page level, it is defined as a tag-declaration. The code is:

    Any form-tag, after the above declaration uses html-escape-sequence-encoding.

    <spring:htmlEscape defaultHtmlEscape="true" />
    * Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :

    <form:input path="name" htmlEscape="true" />
    Depending upon requirement, it can be implemented as global, page or tag level.

    on http://www.techcrony.info/?p=41 website.

    Will this work or is there any change is suggested for this by you people?
    Last edited by buntyindia; Oct 8th, 2008, 01:42 PM.

    Comment


    • #3
      [Solved]

      This works fine for global settings.

      PHP Code:
      <context-param>
        <
      param-name>defaultHtmlEscape</param-name>
        <
      param-value>true</param-value>
      </
      context-param
      Site http://www.techcrony.info/?p=41 was a good resource.

      http://www.techcrony.info/webmarketi.../techcrony.gif
      Last edited by buntyindia; Oct 10th, 2008, 12:03 AM.

      Comment


      • #4
        interesting, thanks for posting this.

        Comment


        • #5
          Originally posted by ew0kian View Post
          interesting, thanks for posting this.
          you are welcome

          Comment


          • #6
            I've tried the above (at web.xml, page, and control levels) without success. When displaying the values, the browser just executes the javascript or html tags as I enter them without doing any escaping.

            I am displaying out the entered fields as ${varname}

            web.xml has this:
            Code:
               <context-param>
                   <param-name>defaultHtmlEscape</param-name>
                   <param-value>true</param-value>
               </context-param>
            top of the pages (both input and display) have this:

            Code:
            <spring:htmlEscape defaultHtmlEscape="true"/>
            the control has this:

            Code:
            <form:textarea id="varname" path="varname" htmlEscape="true"/>
            What could I be doing wrong?
            Last edited by pgibbons; Jun 18th, 2009, 05:04 PM.

            Comment


            • #7
              Did you ever get a solution to this? I'm using Freemarker with Spring as well, and unless I put the ?html on the field, or use the <#escape x as x?html>${variable}</#escape>, the html is not escaped properly.

              The forms work fine, based on the setting of that context-param in web.xml.

              Comment


              • #8
                Originally posted by buntyindia View Post

                * At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:



                * At page level, it is defined as a tag-declaration. The code is:

                Any form-tag, after the above declaration uses html-escape-sequence-encoding.



                * Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :



                Depending upon requirement, it can be implemented as global, page or tag level.

                on http://www.techcrony.info/?p=41 website.

                Will this work or is there any change is suggested for this by you people?
                Hi,

                I tried all 3 options on my project but no one seems to be work. if i input a javascript or an html header (h1) in a textarea, it will be rendered as well.
                Is there another tweak how to get this work?

                thanks
                aofs

                Comment

                Working...
                X