It's true that <c:out> or ${fn:escapeXml(whatever)} offers protection
against XSS attacks involving injected HTML/XML markup, but that's not
really enough on the client side. If user-tainted content is emitted
into a JavaScript context, then it has to be protected differently
(most effectively, with a JSON serializer).On Wed, Oct 15, 2014 at 3:21 AM, VANKEISBELCK Remi <r...@rvkb.com> wrote: > Hi, > > I guess you can validate whatever you want by providing your own > ActionBeanPropertyBinder : > net.sourceforge.stripes.controller.ActionBeanPropertyBinder > > I think it can be done very easily by overriding a single method in there, > maybe : > net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder#bind(net.sourceforge.stripes.action.ActionBean, > java.lang.String, java.lang.Object) > > If the value are is a String, then check for XSS, and sanitize the String > before setting the bean prop if needed. > > When you output anything in JSP, you should be safe using jstl's <c:out> : > it escapes Xml by default. > > Cheers > > Rémi > > > 2014-10-14 22:53 GMT+02:00 Adam Stokar <ajsto...@gmail.com>: >> >> Hi everyone, >> >> Does Stripes have an easy way to remove HTML from user input to prevent >> XSS attacks? I've googled with no success. >> >> Thanks, >> >> >> ------------------------------------------------------------------------------ >> Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. >> Get alerted through email, SMS, voice calls or mobile push notifications. >> Take corrective actions from your mobile device. >> http://p.sf.net/sfu/Zoho >> _______________________________________________ >> Stripes-users mailing list >> Stripes-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/stripes-users >> > > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://p.sf.net/sfu/Zoho > _______________________________________________ > Stripes-users mailing list > Stripes-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/stripes-users > -- Turtle, turtle, on the ground, Pink and shiny, turn around. ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
