Sorry, I've never heard of whitelisting of allowable characters as being a
"normal" approach.
I've developed many multi-language web applications, some with Struts (1 &
2) and some without.
Typically you have to watch for 2 things; 1) when re-displaying anything a
user has entered you need to ensure it is properly escaped for html, the
Struts <s:property> tag nicely takes care of this for you. 2) prevent SQL
injection by using compiled parametrized SQL statements (like Hibernate will
do for you.)
egetchell wrote:
>
> All,
>
> I am one of the architects behind a multi-language site using Struts 2.
> To mitigate XSS exposure, defining a whitelist of allowable characters is
> the normal approach, but seems to become a non-trivial exercise when
> supporting multiple languages (we will be supporting 15). My
> understanding is using POSIX based regular expressions allow combining
> language-specific character sets in a single regular expression. This is
> my first foray into the subject of multi-language validation, so I
> apologize in advance if this is not the correct forum for these two
> questions:
>
> First, does Struts 2 support POSIX regular expressions? I’ve tried a
> bunch of attempts to just get a simple example working and have had little
> luck. From my research, I believe the following is expected to work:
>
> <field-validator type="regex">
>
> <![CDATA[\\p{Alpha}*]]>
>
> <message>Invalid Field</message>
> </field-validator>
>
> Secondly, as a more general (and possibly non-Struts2 specific question),
> has anyone had experience in implementing multi-language whitelists? The
> information on the Internet is quite vague, so I’m not sure if this is
> still a black art making people a bit more close-lipped on the subject.
>
> Thanks!
>
> Eric Getchell | Sr. Technologist
>
> Distributed Logic Corporation
> 600 Unicorn Park
> Woburn, MA 01801
> Email: [EMAIL PROTECTED]
>
>
--
View this message in context:
http://www.nabble.com/Using-POSIX-Regular-Expressions-for-Internationalized-Validation-tp19844314p19858027.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
