Re: best approach to clean parameters using Jsoup
Yeah... basically conversion isn't needed in that case ;-) 2014-11-20 15:32 GMT+01:00 JOSE L MARTINEZ-AVIAL : > I jsut used the annotation: > private String parameterArray[] = null; > @TypeConversion(rule= ConversionRule.COLLECTION, type = > ConversionType.CLASS, converter = "com.xxx.yyy.util.conversion. > struts2.JSoupConversor") > public void setParameterArray(String parameterArray[]) { > this.parameterArray = parameterArray; > LOG.debug("parameterArray " +Arrays.toString(parameterArray)); > } > > Anyway, I discovered why it is not used when the parameter is an array of > String. In the process to look for the apropiate setter for the > parameter(which is always an array of String), Ognl uses the method > OgnlRuntime.getAppropriateMethod. This method returns the most appropriate > setter for the parameter. If it not find it calls > getConvertedMethodAndArgs, which in turn calls XWorkConverter to convert > the value, which in turn calls the custom converter. But if there is a > perfect match for the setter, then XWorkConverter is not used. > > In the case of the parameter "parameter", the setter receives a single > String, and since originally the parameter is an array of String, there is > no perfect match, and Ognl uses XWorkConverter to do the job. But in the > case of the parameter "parameterArray" the setter received an array of > String, so there is a perfect match and therefore XWorkConverter is not > used, it just calls the setter with the parameter, so the converter is not > used. > > 2014-11-20 7:48 GMT-05:00 Lukasz Lenart : > >> How did you register it? >> >> 2014-11-19 12:55 GMT+01:00 JOSE L MARTINEZ-AVIAL : >> > Quick question here. I'm working on the approach to use a custom >> conversor. >> > It works fine for standard parameters (Just a String), but I'm having >> > issues when the getter receives a String[] parameters >> > >> > private String parameter = null; >> > @TypeConversion(type = ConversionType.CLASS, converter = >> > "com.xxx.yyy.util.conversion.struts2.JSoupConversor") >> > public void setParameter(String parameter) { >> > this.parameter = parameter; >> > LOG.debug("simple parameter "+parameter); >> > } >> > >> > private String parameterArray[] = null; >> > @TypeConversion(rule= ConversionRule.COLLECTION, type = >> > ConversionType.CLASS, converter = >> > "com.xxx.yyy.util.conversion.struts2.JSoupConversor") >> > public void setParameterArray(String parameterArray[]) { >> > this.parameterArray = parameterArray; >> > LOG.debug("parameterArray " +Arrays.toString(parameterArray)); >> > } >> > >> > the JSoupConversor has a minimal implementation of the conversion: >> > >> > public Object convertValue(Map context, Object o, Class toClass) { >> > LOG.debug("convertValue "+o); >> > return super.convertValue(context,o, toClass); >> > } >> > >> > public Object convertFromString(Map context, String[] values, Class >> > toClass) { >> > LOG.debug("convertFromString "+Arrays.toString(values)); >> > return null; >> > } >> > >> > public String convertToString(Map context, Object o) { >> > LOG.debug("convertToString " +o); >> > if (o != null) >> > return o.toString(); >> > return null; >> > } >> > protected Object performFallbackConversion(Map context, Object o, >> Class >> > toClass) { >> > LOG.debug("performFallbackConversion "+o); >> > return super.convertValue(context, o, toClass); >> > } >> > >> > The issue is that it the converter is not being called for the >> > parameterArray, although the setter is being called. The logs are as >> > follows: >> > >> > com.opensymphony.xwork2.interceptor.ParametersInterceptor - Setting >> params >> > parameter => [ value1 ] parameterArray => *[ value2, value3 ]* >> > >> com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor >> > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] >> with >> > key: [parameter] >> > >> *com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor >> > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] >> with >> > key: [parameterArray]* >> > com.xxx.yyy.util.conversion.struts2.JSoupConversor - convertValue >> > [Ljava.lang.String;@1028f08 >> > com.xxx.yyy.util.conversion.struts2.JSoupConversor - convertToString >> > [Ljava.lang.String;@1028f08 >> > com.xxx.yyy.modules.test.controller.action.json.TestJSON - simple >> > parameter [Ljava.lang.String;@1028f08 >> > com.xxx.yyy.modules.test.controller.action.json.TestJSON - >> *parameterArray >> > [value2, value3]* >> > com.opensymphony.xwork2.validator.ValidationInterceptor - Invoking >> > validate() on action >> > com.spb.eco.modules.test.controller.action.json.TestJSON@1f4ca39 >> > >> > So I see the converter being called for parameter, but not for >> > parameterArray, but the pa
Re: best approach to clean parameters using Jsoup
I jsut used the annotation: private String parameterArray[] = null; @TypeConversion(rule= ConversionRule.COLLECTION, type = ConversionType.CLASS, converter = "com.xxx.yyy.util.conversion. struts2.JSoupConversor") public void setParameterArray(String parameterArray[]) { this.parameterArray = parameterArray; LOG.debug("parameterArray " +Arrays.toString(parameterArray)); } Anyway, I discovered why it is not used when the parameter is an array of String. In the process to look for the apropiate setter for the parameter(which is always an array of String), Ognl uses the method OgnlRuntime.getAppropriateMethod. This method returns the most appropriate setter for the parameter. If it not find it calls getConvertedMethodAndArgs, which in turn calls XWorkConverter to convert the value, which in turn calls the custom converter. But if there is a perfect match for the setter, then XWorkConverter is not used. In the case of the parameter "parameter", the setter receives a single String, and since originally the parameter is an array of String, there is no perfect match, and Ognl uses XWorkConverter to do the job. But in the case of the parameter "parameterArray" the setter received an array of String, so there is a perfect match and therefore XWorkConverter is not used, it just calls the setter with the parameter, so the converter is not used. 2014-11-20 7:48 GMT-05:00 Lukasz Lenart : > How did you register it? > > 2014-11-19 12:55 GMT+01:00 JOSE L MARTINEZ-AVIAL : > > Quick question here. I'm working on the approach to use a custom > conversor. > > It works fine for standard parameters (Just a String), but I'm having > > issues when the getter receives a String[] parameters > > > > private String parameter = null; > > @TypeConversion(type = ConversionType.CLASS, converter = > > "com.xxx.yyy.util.conversion.struts2.JSoupConversor") > > public void setParameter(String parameter) { > > this.parameter = parameter; > > LOG.debug("simple parameter "+parameter); > > } > > > > private String parameterArray[] = null; > > @TypeConversion(rule= ConversionRule.COLLECTION, type = > > ConversionType.CLASS, converter = > > "com.xxx.yyy.util.conversion.struts2.JSoupConversor") > > public void setParameterArray(String parameterArray[]) { > > this.parameterArray = parameterArray; > > LOG.debug("parameterArray " +Arrays.toString(parameterArray)); > > } > > > > the JSoupConversor has a minimal implementation of the conversion: > > > > public Object convertValue(Map context, Object o, Class toClass) { > > LOG.debug("convertValue "+o); > > return super.convertValue(context,o, toClass); > > } > > > > public Object convertFromString(Map context, String[] values, Class > > toClass) { > > LOG.debug("convertFromString "+Arrays.toString(values)); > > return null; > > } > > > > public String convertToString(Map context, Object o) { > > LOG.debug("convertToString " +o); > > if (o != null) > > return o.toString(); > > return null; > > } > > protected Object performFallbackConversion(Map context, Object o, > Class > > toClass) { > > LOG.debug("performFallbackConversion "+o); > > return super.convertValue(context, o, toClass); > > } > > > > The issue is that it the converter is not being called for the > > parameterArray, although the setter is being called. The logs are as > > follows: > > > > com.opensymphony.xwork2.interceptor.ParametersInterceptor - Setting > params > > parameter => [ value1 ] parameterArray => *[ value2, value3 ]* > > > com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor > > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] > with > > key: [parameter] > > > *com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor > > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] > with > > key: [parameterArray]* > > com.xxx.yyy.util.conversion.struts2.JSoupConversor - convertValue > > [Ljava.lang.String;@1028f08 > > com.xxx.yyy.util.conversion.struts2.JSoupConversor - convertToString > > [Ljava.lang.String;@1028f08 > > com.xxx.yyy.modules.test.controller.action.json.TestJSON - simple > > parameter [Ljava.lang.String;@1028f08 > > com.xxx.yyy.modules.test.controller.action.json.TestJSON - > *parameterArray > > [value2, value3]* > > com.opensymphony.xwork2.validator.ValidationInterceptor - Invoking > > validate() on action > > com.spb.eco.modules.test.controller.action.json.TestJSON@1f4ca39 > > > > So I see the converter being called for parameter, but not for > > parameterArray, but the parameterArray is actually being set. What am I > > missing? > > > > Thanks > > > > > > 2014-11-19 6:18 GMT-05:00 JOSE L MARTINEZ-AVIAL : > > > >> Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac) > >> method seems a good solutio
Re: best approach to clean parameters using Jsoup
How did you register it? 2014-11-19 12:55 GMT+01:00 JOSE L MARTINEZ-AVIAL : > Quick question here. I'm working on the approach to use a custom conversor. > It works fine for standard parameters (Just a String), but I'm having > issues when the getter receives a String[] parameters > > private String parameter = null; > @TypeConversion(type = ConversionType.CLASS, converter = > "com.xxx.yyy.util.conversion.struts2.JSoupConversor") > public void setParameter(String parameter) { > this.parameter = parameter; > LOG.debug("simple parameter "+parameter); > } > > private String parameterArray[] = null; > @TypeConversion(rule= ConversionRule.COLLECTION, type = > ConversionType.CLASS, converter = > "com.xxx.yyy.util.conversion.struts2.JSoupConversor") > public void setParameterArray(String parameterArray[]) { > this.parameterArray = parameterArray; > LOG.debug("parameterArray " +Arrays.toString(parameterArray)); > } > > the JSoupConversor has a minimal implementation of the conversion: > > public Object convertValue(Map context, Object o, Class toClass) { > LOG.debug("convertValue "+o); > return super.convertValue(context,o, toClass); > } > > public Object convertFromString(Map context, String[] values, Class > toClass) { > LOG.debug("convertFromString "+Arrays.toString(values)); > return null; > } > > public String convertToString(Map context, Object o) { > LOG.debug("convertToString " +o); > if (o != null) > return o.toString(); > return null; > } > protected Object performFallbackConversion(Map context, Object o, Class > toClass) { > LOG.debug("performFallbackConversion "+o); > return super.convertValue(context, o, toClass); > } > > The issue is that it the converter is not being called for the > parameterArray, although the setter is being called. The logs are as > follows: > > com.opensymphony.xwork2.interceptor.ParametersInterceptor - Setting params > parameter => [ value1 ] parameterArray => *[ value2, value3 ]* > com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] with > key: [parameter] > *com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor > - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] with > key: [parameterArray]* > com.xxx.yyy.util.conversion.struts2.JSoupConversor - convertValue > [Ljava.lang.String;@1028f08 > com.xxx.yyy.util.conversion.struts2.JSoupConversor - convertToString > [Ljava.lang.String;@1028f08 > com.xxx.yyy.modules.test.controller.action.json.TestJSON - simple > parameter [Ljava.lang.String;@1028f08 > com.xxx.yyy.modules.test.controller.action.json.TestJSON - *parameterArray > [value2, value3]* > com.opensymphony.xwork2.validator.ValidationInterceptor - Invoking > validate() on action > com.spb.eco.modules.test.controller.action.json.TestJSON@1f4ca39 > > So I see the converter being called for parameter, but not for > parameterArray, but the parameterArray is actually being set. What am I > missing? > > Thanks > > > 2014-11-19 6:18 GMT-05:00 JOSE L MARTINEZ-AVIAL : > >> Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac) >> method seems a good solution, although that would imply doing it to all >> parameters. While that could be ok, I would like to take a less aggressive >> approach.One option I'm considering is to user a custom Converter that >> could take care of this, so I could setup the converter only in those >> parameters I know I need to filter. What do you think? >> >> 2014-11-19 4:57 GMT-05:00 Lukasz Lenart : >> >> 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL : >>> > Hello, >>> > We are using Struts 2.3.16.3 for our application. Due to security >>> > reasons, we need to "clean" the user's input in order to avoid XSS. We >>> are >>> > using JSoup for that, with success( >>> > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer). >>> > >>> > The issues is that we haven't find a really good way to integrate it >>> with >>> > Struts. Basically we need to pass every String parameter through JSoup >>> to >>> > sanitize it, and right now we are doing it manully on the execute >>> method of >>> > the action, after the parameters have been loaded in the action and >>> > validated. We would like to do it automatically when the parametes are >>> set >>> > in the action. In the normal actions we can do it in the getter, but >>> some >>> > actions have java beans for parameters, and we don't want to integrate >>> the >>> > Jsoup call in the bean methods. Any suggestions about how to do this? >>> >>> You can override ParametersInterceptor's >>> retrieveParameters(ActionContext ac) method and then build your custom >>> stack. Or you can develop custom interceptor and put it on the top of >>> your stack and do ActionContext.get/s
Re: best approach to clean parameters using Jsoup
Quick question here. I'm working on the approach to use a custom conversor. It works fine for standard parameters (Just a String), but I'm having issues when the getter receives a String[] parameters private String parameter = null; @TypeConversion(type = ConversionType.CLASS, converter = "com.xxx.yyy.util.conversion.struts2.JSoupConversor") public void setParameter(String parameter) { this.parameter = parameter; LOG.debug("simple parameter "+parameter); } private String parameterArray[] = null; @TypeConversion(rule= ConversionRule.COLLECTION, type = ConversionType.CLASS, converter = "com.xxx.yyy.util.conversion.struts2.JSoupConversor") public void setParameterArray(String parameterArray[]) { this.parameterArray = parameterArray; LOG.debug("parameterArray " +Arrays.toString(parameterArray)); } the JSoupConversor has a minimal implementation of the conversion: public Object convertValue(Map context, Object o, Class toClass) { LOG.debug("convertValue "+o); return super.convertValue(context,o, toClass); } public Object convertFromString(Map context, String[] values, Class toClass) { LOG.debug("convertFromString "+Arrays.toString(values)); return null; } public String convertToString(Map context, Object o) { LOG.debug("convertToString " +o); if (o != null) return o.toString(); return null; } protected Object performFallbackConversion(Map context, Object o, Class toClass) { LOG.debug("performFallbackConversion "+o); return super.convertValue(context, o, toClass); } The issue is that it the converter is not being called for the parameterArray, although the setter is being called. The logs are as follows: com.opensymphony.xwork2.interceptor.ParametersInterceptor - Setting params parameter => [ value1 ] parameterArray => *[ value2, value3 ]* com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] with key: [parameter] *com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] with key: [parameterArray]* com.xxx.yyy.util.conversion.struts2.JSoupConversor - convertValue [Ljava.lang.String;@1028f08 com.xxx.yyy.util.conversion.struts2.JSoupConversor - convertToString [Ljava.lang.String;@1028f08 com.xxx.yyy.modules.test.controller.action.json.TestJSON - simple parameter [Ljava.lang.String;@1028f08 com.xxx.yyy.modules.test.controller.action.json.TestJSON - *parameterArray [value2, value3]* com.opensymphony.xwork2.validator.ValidationInterceptor - Invoking validate() on action com.spb.eco.modules.test.controller.action.json.TestJSON@1f4ca39 So I see the converter being called for parameter, but not for parameterArray, but the parameterArray is actually being set. What am I missing? Thanks 2014-11-19 6:18 GMT-05:00 JOSE L MARTINEZ-AVIAL : > Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac) > method seems a good solution, although that would imply doing it to all > parameters. While that could be ok, I would like to take a less aggressive > approach.One option I'm considering is to user a custom Converter that > could take care of this, so I could setup the converter only in those > parameters I know I need to filter. What do you think? > > 2014-11-19 4:57 GMT-05:00 Lukasz Lenart : > > 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL : >> > Hello, >> > We are using Struts 2.3.16.3 for our application. Due to security >> > reasons, we need to "clean" the user's input in order to avoid XSS. We >> are >> > using JSoup for that, with success( >> > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer). >> > >> > The issues is that we haven't find a really good way to integrate it >> with >> > Struts. Basically we need to pass every String parameter through JSoup >> to >> > sanitize it, and right now we are doing it manully on the execute >> method of >> > the action, after the parameters have been loaded in the action and >> > validated. We would like to do it automatically when the parametes are >> set >> > in the action. In the normal actions we can do it in the getter, but >> some >> > actions have java beans for parameters, and we don't want to integrate >> the >> > Jsoup call in the bean methods. Any suggestions about how to do this? >> >> You can override ParametersInterceptor's >> retrieveParameters(ActionContext ac) method and then build your custom >> stack. Or you can develop custom interceptor and put it on the top of >> your stack and do ActionContext.get/setParameters() in intercept() >> method. >> >> >> Regards >> -- >> Łukasz >> + 48 606 323 122 http://www.lenart.org.pl/ >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
Re: best approach to clean parameters using Jsoup
Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac) method seems a good solution, although that would imply doing it to all parameters. While that could be ok, I would like to take a less aggressive approach.One option I'm considering is to user a custom Converter that could take care of this, so I could setup the converter only in those parameters I know I need to filter. What do you think? 2014-11-19 4:57 GMT-05:00 Lukasz Lenart : > 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL : > > Hello, > > We are using Struts 2.3.16.3 for our application. Due to security > > reasons, we need to "clean" the user's input in order to avoid XSS. We > are > > using JSoup for that, with success( > > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer). > > > > The issues is that we haven't find a really good way to integrate it > with > > Struts. Basically we need to pass every String parameter through JSoup to > > sanitize it, and right now we are doing it manully on the execute method > of > > the action, after the parameters have been loaded in the action and > > validated. We would like to do it automatically when the parametes are > set > > in the action. In the normal actions we can do it in the getter, but some > > actions have java beans for parameters, and we don't want to integrate > the > > Jsoup call in the bean methods. Any suggestions about how to do this? > > You can override ParametersInterceptor's > retrieveParameters(ActionContext ac) method and then build your custom > stack. Or you can develop custom interceptor and put it on the top of > your stack and do ActionContext.get/setParameters() in intercept() > method. > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: best approach to clean parameters using Jsoup
2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL : > Hello, > We are using Struts 2.3.16.3 for our application. Due to security > reasons, we need to "clean" the user's input in order to avoid XSS. We are > using JSoup for that, with success( > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer). > > The issues is that we haven't find a really good way to integrate it with > Struts. Basically we need to pass every String parameter through JSoup to > sanitize it, and right now we are doing it manully on the execute method of > the action, after the parameters have been loaded in the action and > validated. We would like to do it automatically when the parametes are set > in the action. In the normal actions we can do it in the getter, but some > actions have java beans for parameters, and we don't want to integrate the > Jsoup call in the bean methods. Any suggestions about how to do this? You can override ParametersInterceptor's retrieveParameters(ActionContext ac) method and then build your custom stack. Or you can develop custom interceptor and put it on the top of your stack and do ActionContext.get/setParameters() in intercept() method. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: best approach to clean parameters using Jsoup
> Hello, > We are using Struts 2.3.16.3 for our application. Due to security > reasons, we need to "clean" the user's input in order to avoid XSS. We are > using JSoup for that, with success( > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer). > > The issues is that we haven't find a really good way to integrate it with > Struts. Basically we need to pass every String parameter through JSoup to > sanitize it, and right now we are doing it manully on the execute method of > the action, after the parameters have been loaded in the action and > validated. We would like to do it automatically when the parametes are set > in the action. In the normal actions we can do it in the getter, but some > actions have java beans for parameters, and we don't want to integrate the > Jsoup call in the bean methods. Any suggestions about how to do this? > > Thanks > > JL One approach could be to wrap it in a custom validator. This blog seems to be a good sample: http://www.programmingforfuture.com/2012/09/struts2-writing-custom-validator.html Regards, Christoph This Email was scanned by Sophos Anti Virus