Hi,
On 21/03/2012 17:54 PM, foxesout wrote:
Hello,
I have a Click application and to safeguard the app from Cross Site
Scripting we are stripping off all of the< and> request tags in our
Filter. It works when the user enters something with these greater than or
less than tags into the input fields of the page.
But when we modify the URL itself with something like
=</td>
Not sure what you mean here? You put a table cell in the url? You can place a breakpoint in your
filter to check which parameters are escaped.
We still get an alert on the page even though we see in our logs that the
request goes through the filter and the tags get stripped off.
But it looks like the java script gets executed before we hit the filter.
Javascript is executed in the browser. The filter is run on the server.
Do you place the variable in your Velocity templates which is then executed? I personally don't
filter input as there might be use cases where you do want a < or > ie., mathematical formulas or
input of some kind of markup.
Instead I escape the variables at rending time. In your templates you can do
something like:
$format.escape($var)
regards
Bob
We have the same set up in the other Struts application and this doesn't
happen.
Any suggestions?
--
View this message in context:
http://click.1134972.n2.nabble.com/Javascript-is-executed-before-the-Filter-Cross-site-scripting-tp7392633p7392633.html
Sent from the click-user mailing list archive at Nabble.com.
