Re: String Delimiters used in INPUT field with <%= tag.

Thu, 25 Jan 2001 17:09:26 -0800 

"Seibert, Dan" wrote:
>
> Here's a data driven problem I've run into using JSP 1.0 with Model 2 (no
> get/setProperty tags).
>
> I've got an input tag similar to this:
>
> <INPUT type="text" name="orderID" value="<%=
> orderView.getStringItem("orderID") %>"  >
>
> When a user inputs string delimiters (", ')  or other special characters in
> the input field it may create havoc:
> *       If  Joe "Bob" is entered,  the first " terminates my string
> surrounding the value and the field is left as Joe after the form is
> submitted.
> *       If  Joe "Bob's is entered, the " terminates the value string, the '
> starts a new string and the rest of my HTML / JSP is mangled until another '
> is encountered somewhere in the page.
> *       What if  Joe "<TABLE><TR><TD> was entered     OR   Joe"<%
> orderView.remove()  OR  some other devious plot.
>
> What to do?   I could
> *       Cleanse any quotes during the onKeypress event with JavaScript. But
> that's not too cool.   Also, this won't help if the data comes from some
> other source than my JSP page.
> *       I could cleanse the string on the server side but I don't really
> want to take the performance hit of string operations in fetching every
> single input field.
> *       I could omit the optional "s in the HTML, but many of the tools
> (Websphere Studio, Script Builder, etc.) keeps putting them back in.
>
> Any ideas?   This must be a common problem.

You need to encode the special characters (single and double quotes) that
may appear in the form element value (or any HTML attribute value actually).
The examples in my book use a utility class for this, called StringFormat.
It would be used like this in your example:

  <INPUT type="text" name="orderID"
    value="<%= StringFormat.toHTMLString(orderView.getStringItem("orderID")) %>"
>

As for your concerns about performance doing this, I don't see that it's a
problem. Your database operation is many orders of magnitude more expensive,
so this operation should not have any negative impact.

For more details, look at the Formatted Output Example, Chapter 6, at:

  <http://TheJSPBook.com/>

Hans
--
Hans Bergsten           [EMAIL PROTECTED]
Gefion Software         http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com

===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:

 http://java.sun.com/products/jsp/faq.html
 http://www.esperanto.org.nz/jsp/jspfaq.html
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
 http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets

Reply via email to