Here's a data driven problem I've run into using JSP 1.0 with Model 2 (no
get/setProperty tags).
I've got an input tag similar to this:
<INPUT type="text" name="orderID" value="<%=
orderView.getStringItem("orderID") %>" >
When a user inputs string delimiters (", ') or other special characters in
the input field it may create havoc:
* If Joe "Bob" is entered, the first " terminates my string
surrounding the value and the field is left as Joe after the form is
submitted.
* If Joe "Bob's is entered, the " terminates the value string, the '
starts a new string and the rest of my HTML / JSP is mangled until another '
is encountered somewhere in the page.
* What if Joe "<TABLE><TR><TD> was entered OR Joe"<%
orderView.remove() OR some other devious plot.
What to do? I could
* Cleanse any quotes during the onKeypress event with JavaScript. But
that's not too cool. Also, this won't help if the data comes from some
other source than my JSP page.
* I could cleanse the string on the server side but I don't really
want to take the performance hit of string operations in fetching every
single input field.
* I could omit the optional "s in the HTML, but many of the tools
(Websphere Studio, Script Builder, etc.) keeps putting them back in.
Any ideas? This must be a common problem.
Thanks,
Dan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
