Nikolaos Giannopoulos <nikol...@...> writes: > > Hi, > > Freddy's book is awesome and has a Security chapter that covers XSS > though it appears to me to take an inverted view on XSS attacks. > > Here is what I think: > > 1) All user data should be considered unsafe and "sanitized" before > being processed i.e. I don't want say <script> to be stored as-is in any > field in the DB vs. when displaying the data make sure to filter the < > and > for < and > > > 2) There needs to be an attempt to handle other things like converting ' > to \' and \ to \\ and some SQL things like DELETE FROM and on and on... > > 3) Also content is typically (at least in our case) viewed far more > often than it is stored... so it would be more efficient to do > processing on the front-end vs. the back-end > > With all that said, I wonder if an appropriate solution would be to > build a XssStringTypeConverter that encapsulates this filtering... and > then through the @Validate do something like: > > @Validate(field = "someField", converter=XssStringTypeConverter.class) > > Of course this can get tedious but as we are using @StrictBinding to > force only fields in @Validate to be injected this doesn't seem that bad. > > What do others think of this solution? What other solutions are being > used? Perhaps this should be built-in to Stripes. > > Thought??? Comments??? All welcome and appreciated. > > --Nikolaos > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev >
I think the best practice would be to store the data in it's original form and convert it when it's viewed. If you escape everything for display on the web you limit what you can do with the data in the future. If you are doing a lot of display and not a lot of updates you could always cache the sanitized version in memory or using a caching project. We use Apache JCS (Java Caching System) and it works well for us. There are a lot of others out there too. If you don't want to go the cache'd route you could always store the original in a separate field in the database from the escaped version. This could create a significant overhead though. Anyway those are just my thoughts, I'd love to hear what others would advise. Thanks, Scott ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
