Everything is clear now. I had misunderstood the previous posts as suggestions to physically alter the user’s input via HTML escaping/unescaping at the boundary layer of Struts.
I totally agree with this XSS mitigation approach and have added the escape=”true” attribute to all our property tags and verified we don’t use the text tag anywhere. No issues with SQL injection as we’ve been using prepared statements in Hibernate from day one. Thanks all! Brad A Cupit wrote: > > From: egetchell [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2008 11:56 AM >> The one thing I noticed is that this escaped >> data is not translated back to the character >> set when fed into an input field. > > Perhaps this is an over simplification, but could you just persist the > raw, unescaped text that the user inputs, then use something like this: > > <s:property value="%{rawText}" escape="true"/> > -- or -- > <c:out value=${rawText} escapeXml="true"/> > > For text fields you could then just use the rawText unescaped and it would > be exactly the way the user entered it. > > Looking back in the history for this post, this idea is basically what > Greg Lindholm suggested [1]. > > To reword what he also said about SQL injection: > Just use PreparedStatements with '?' placeholders (or Hibernate, or some > other library which will protect you from SQL injection attacks). > > [1] > http://www.nabble.com/Using-POSIX-Regular-Expressions-for-Internationalized-Validation-td19844314.html#a19858027 > > Brad Cupit > Louisiana State University - UIS > > -- View this message in context: http://www.nabble.com/Using-POSIX-Regular-Expressions-for-Internationalized-Validation-tp19844314p19899277.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
