The code that Struts uses (which is probably closest to your proposed
getEscapedHtml() method) is the filter() method in
org.apache.struts.util.ResponseUtils. But the mechanics (change any
occurrence of '<', '>', '&', or '"' to the corresponding escape sequence)
is the easy part of the problem. The harder part is making sure that all
your webapps practice "safe sex" and use CSSCondom. :-)
I don't know of any generic solutions to the getStrippedHtml() or
removeScriptTag() methods you propose - but are they still necesary if you
do the getEscapedHtml() processing on everything?
Craig
On Wed, 21 Nov 2001, Jon Stevens wrote:
> Date: Wed, 21 Nov 2001 00:49:36 -0800
> From: Jon Stevens <[EMAIL PROTECTED]>
> Reply-To: Jakarta General List <[EMAIL PROTECTED]>
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Subject: Re: Cross site scripting
>
> on 11/20/01 11:54 PM, "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote:
>
> > However, Jon is asking for container-based solutions -- I guess that
> > requiring the use of Strut tags for all your output qualifies. :-)
> >
> > Craig
>
> Sigh. I am *not* asking for a container based solution.
>
> Because something got lost in your translation of what I'm saying, just to
> be clear, I'm asking for a library that takes a String as input and returns
> a String as output and provides the various encoding scheme's for preventing
> CSS attacks (it seems like none of them are a magic bullet, but combined,
> they do the job depending on the level of protection you need).
>
> Something like:
>
> public class CSSCondom
> {
> public String getEscapedHtml(String input);
> public String getStrippedHtml(String input);
> public String removeScriptTags(String input);
> }
>
> Velocity has a cool feature where you can attach what are called
> EventCartridges to items in the Context so that when they are rendered in a
> template, code is executed. This is similar to having a taglib bean return
> data that has been 'protected'.
>
> <http://jakarta.apache.org/velocity/developer-guide.html#EventCartridge%20an
> d%20Event%20Handlers>
>
> In this case, I'm developing a ReferenceInsertionEventHandler that would
> rely on this general CSSCondom library to help protect me from unwanted
> outcomes.
>
> Thanks.
>
> -jon
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
