Announcement Announcement Module
Collapse
No announcement yet.
StringToString converter? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • StringToString converter?

    Hi,

    I have created a converter that will extract any dangerous javascript or html from form fields and convert it to a new clean string. This seems to work fine in SpringMVC when i register it with the conversion service. e.g....

    public class XSSStringConverter implements Converter<String, String> {

    @Override
    public String convert(String s) {
    if (!StringUtils.isEmpty(s)) {
    return s.replaceAll("\\<.*?\\>", "");
    }

    return s;

    }
    }


    However, now part of my application (long story ) is using web flows and I am trying to reuse the converter to 'clean' all fields in my flow pages also

    I have now made the cpnverter extend StringToObject so that I can register it in my web flow conversion service also. The question I have is whether there is a simple way to apply this converter to all my web flow form fields without the need to explicity set it in every 'converter' attribute of the <bind> tags in my web flow config files...


    hoping you can help

  • #2
    Hi

    Have you tried using FormattingConversionService ? It could work. Instruction on how to enable formating conversion service is provided in Webflow reference guide. In short:
    1. Create formatter class , name it my XSSFormatterAware
    2. register the formatter by creating a cusotm class that extends extending org.springframework.format.support.FormattingConve rsionServiceFactoryBean
    Code:
    public class MyFormattingConversionServiceFactoryBean extends org.springframework.format.support.FormattingConversionServiceFactoryBean{
    
    	@Override
    	protected void installFormatters(FormatterRegistry registry) {	
                    super.installFormatters(registry);		
    		registry.addFormatterForFieldType(String.class, new XSSFormatterAware());
            }
    3. register your FormattingConversionServiceFactoryBean in spring config to be usable for mvc and spring webflow
    Code:
    <bean id="conversionService"
    		class="MyFormattingConversionServiceFactoryBean" />
    <mvc:annotation-driven conversion-service="conversionService"/>
    
    <webflow:flow-builder-services id="flowBuilderServices"  conversion-service="webflowDefaultConversionService"/>
    
    	<!-- http://static.springsource.org/spring-webflow/docs/2.3.x/reference/htmlsingle/spring-webflow-reference.html#view-type-conversion  -->
    <bean id="webflowDefaultConversionService" class="org.springframework.binding.convert.service.DefaultConversionService">
        	<constructor-arg ref="conversionService"/>
      </bean>
    I am using this configuration to have locale aware string numbers bind to BigDecimal. Everything works as a charm, but the registered formatters are also used by Spring itself when binding Strings to Objects during application context building. I asked a question on that topic in "WEB" section of this forum but got no replies.

    Comment


    • #3
      thanks for the response.

      I first went for another approach using a servlet filter I found on the web, which put the request in a HttpServletWrapper where I was able to override the getParam() getParamValues() to clean the data they returned:


      Code:
      in web.xml
      <filter>
       *		<filter-name>xssServletFilter</filter-name>
       *		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
       *	</filter>
       *
       *	<filter-mapping>
       *		<filter-name>xssServletFilter</filter-name>
       *		<url-pattern>/*</url-pattern>
       *	</filter-mapping>
      
      
      
      the filter 
      
      @Service
      public class XssServletFilter implements Filter{
      
      	@Override
      	public void destroy() {
      	}
      
      	@Override
      	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
      			FilterChain filterChain) throws IOException, ServletException {
      		filterChain.doFilter(new MyHttpRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
      	}
      
      	@Override
      	public void init(FilterConfig filterConfig) throws ServletException {
      	}
      	
      }
      
      
      public class MyHttpRequestWrapper extends HttpServletRequestWrapper {
      	
      	/*
      	 * Dont autowire
      	 */
      	private MaliciousStringConverter maliciousStringConverter = new MaliciousStringConverter();
      	
      	/**
      	 * Constructor
      	 * @param servletRequest the {@link HttpServletRequest}
      	 */
      	public MyHttpRequestWrapper(HttpServletRequest servletRequest) {
      		super(servletRequest);
      	}
      
      	@Override
      	public String[] getParameterValues(String parameter) {
      		String[] values = super.getParameterValues(parameter);
      		if (values == null) {
      			return null;
      		}
      		int count = values.length;
      		String[] encodedValues = new String[count];
      		for (int i = 0; i < count; i++) {
      			encodedValues[i] = maliciousStringConverter.convert(values[i]);
      		}
      		return encodedValues;
      	}
      
      	@Override
      	public String getParameter(String parameter) {
      		String value = super.getParameter(parameter);
      		if (value == null) {
      			return null;
      		}
      		return maliciousStringConverter.convert(value);
      	}
      
      	@Override
      	public String getHeader(String name) {
      		String value = super.getHeader(name);
      		if (value == null){
      			return null;
      		}
      		return maliciousStringConverter.convert(value);
      	}
      }

      But then I realised we didnt fully need this (so far anyway). And all we really needed to do really was to escape the data on pages that displays/renders any data that comes in from the forms. We did this mainly using <c:outs,the <spring:message ..htmlescape=true tag, and the htmlencode attribute of jquery jqgrid

      Comment

      Working...
      X