On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm in the process of trying to secure my struts application against "Cross site
> scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to restrict special characters
> (;.<>(){}...etc) getting beyond the validator.
>
> At the moment I'm using the validator plugin, within my validation.xml I use the
> "mask" validator with the regular expression;
>
> ......
> <var-name>mask</var-name>
>
> <var-value>^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$</var-value>
>
> ......
>
> 1. Does anyone know the syntax for also preventing < > & within the regular
> expression bearing in mind its declared in XML?
In your regexp, you can specify "<" & ">" entities as "<" and
">" respectively.
>
> Or is there some kind of default validator that does this?
>
> 2. Some of my action functions also take input in the url as a GET which does not go
> through the Validator, this is then used to access a DB, these also need to be
> secured. Obviously I can do this within each individual Action class, but where
> would be the best single place I could stop characters like < > ; & ever getting as
> far as the Action classes?
>
1) You can use a strategy similar to the one described in the below url
http://wiki.apache.org/struts/StrutsCatalogBaseAction
OR
2) You can also define a custom RequestProcessor and override
processPreprocess(HttpServletRequest request, HttpServletResponse
response).
> Any other suggestions would be much appreciated, as I couldn't find very much
> related to securing struts applications
>
> many thanks in advance
>
> regards
>
> James
>
>
Kishore Senji.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
