Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac) method seems a good solution, although that would imply doing it to all parameters. While that could be ok, I would like to take a less aggressive approach.One option I'm considering is to user a custom Converter that could take care of this, so I could setup the converter only in those parameters I know I need to filter. What do you think?
2014-11-19 4:57 GMT-05:00 Lukasz Lenart <lukaszlen...@apache.org>: > 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>: > > Hello, > > We are using Struts 2.3.16.3 for our application. Due to security > > reasons, we need to "clean" the user's input in order to avoid XSS. We > are > > using JSoup for that, with success( > > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer). > > > > The issues is that we haven't find a really good way to integrate it > with > > Struts. Basically we need to pass every String parameter through JSoup to > > sanitize it, and right now we are doing it manully on the execute method > of > > the action, after the parameters have been loaded in the action and > > validated. We would like to do it automatically when the parametes are > set > > in the action. In the normal actions we can do it in the getter, but some > > actions have java beans for parameters, and we don't want to integrate > the > > Jsoup call in the bean methods. Any suggestions about how to do this? > > You can override ParametersInterceptor's > retrieveParameters(ActionContext ac) method and then build your custom > stack. Or you can develop custom interceptor and put it on the top of > your stack and do ActionContext.get/setParameters() in intercept() > method. > > > Regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
