Re: Display PROBLEM in text fields for JSP

Thu, 9 Mar 2000 17:24:02 -0800 

?D ??? ???  ?" #*? ???
??P
??????? ??
?
??
??? ??
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit

>> It's as simple as just adding double quotes around the City name to define
>> the boundaries of the string. If double quotes aren't used then you get the
>> default behaviour that you described.
>
> Yes, but note that this approach leaves open the cross-site scripting
> security hole, for one thing.  For example, if I set my city to:
> "><script>alert('Look, ma, no hands')</script>
> I can manipulate the browser (and potentially other people's browsers if
> they are viewing the same data), because
>
>> <input type="TEXT" name=City size="25" value="<%=table.getCity()%>">
>
> gets rendered as
> <input type="TEXT" name=City size="25" value=""><script>alert('Look, ma,
> no hands')</script>">

If you are going to display the form results couldn't you avoid this hole by
wrapping your display in <pre>tags</pre>?

Of course you're still going to have a problem if you using the form results
for anything but display. But then again, if you are going to be writing
results to a database you will probably want to do some data validation
before hand. And you will still have to deal with the possibility of
table.getCity() returning a bad string as you describe below.

_jesse

>
> Also, if table.getCity() is a string that includes a double-quote
> character, it will still fail. They should be replaced by &qt; instead.
>
> I usually use a helper function (static method) that translates:
> '>' --> &gt;
> '<' --> &lt;
> '"' --> &qt;
> '&' --> &amp;
> And of course any non-ASCII characters should be encoded to their hex
> values (&#xx).
>

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets

Reply via email to