I did determine why POSIX regular expressions did not seem to be working. The server-side Java-based validations work correctly, it was the client-side JavaScript implementation that was failing when constructing the regular expression. From my brief investigation into this, it would seem that the JavaScript engine in the browser uses a slightly different POSIX dialect than Java.
Back to the general XSS mitigation approach, I am curious to others experiences with HTML escaping. It would seem that I would need to know the context in which a piece of data is being used for this technique to work correctly. I tried a second attempt at the HTML encoding, and that is to *only* HTML escape the data being fed to the UI. The one thing I noticed is that this escaped data is not translated back to the character set when fed into an input field. So, HTML escaped Shift-JIS data displays correctly in static HTML, but remains as the escaped values when loaded into a input field. I didn’t find any Struts 2 tag option to unescape data, implying that I would need to conditionally encode the data going to the UI based on the context in which it is to be used. This strikes me that it would seem to handcuff you when implementing a boundary solution as the should not know how the piece of data is being used. Jishnu Viswanath wrote: > > Hey egetchell, > Don't know weather that's your name but any way. > I don't know this is the solution you are looking for > <field name="nameOfTheField"> > <field-validator type="typeOfValidator"> > <message key="error.validation.regexp"/> > </field-validator> > </field> > > Now you need to map the validator, > Put a validators.xml in resources folder, same folder as struts.xml > exist > > > <validators> > <validator name=" typeOfValidator " class="package.ClassName"/> > </validators> > > ClassName should extend RegexFieldValidator > Override validate method, do what ever you want there. This should work. > > -- View this message in context: http://www.nabble.com/Using-POSIX-Regular-Expressions-for-Internationalized-Validation-tp19844314p19883000.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
