On Sunday 18 January 2009 09:34:23 doahh wrote: > I have been thinking about protecting an app form SQL injection and XSS > attacks but currently know very little about this area of security. I > started out using the Http Data Integrity Validation Framework (HDIV) but > found it was a little to secure in that it broke bookmarks, the back button > and attempted to grab every exception and claim it was an attack; I have > now removed it. I have the following questions: > > 1) If a user enters some kind of attack into a form field does struts > provide any defense against this? > 2) If not should I be checking the input for double quotes, single quote, > html close tags etc and escaping/encoding them or is there a better way?
The short answer to this question is "no." However, since Java/JSP is not perl or PHP, the backtick quotes are not a problem. To protect against SQL injection, do not construct SQL queries using String manipulation. In almost every language, this alone is the hole. In Java/JDBC the proper facility for setting parameters in a query is to use placeholder. This means preparing a statement handle and calling the setparameter family of methods. By doing this, the JDBC driver will escape all characters that need it. This will leave you to deal with HTML tags. Struts does provide some facilities for dealing with this. If all submitted data will be set in a struts-y way such as action properties, then you can use the s:property tag which has an "escape" parameter which will escape the result before displaying it. Unfortunately, this gives you a all-or-nothing solution. In some cases you might want a solution that allows for rich-text editing, such as using TinyMCE which will legitimately require the user to submit content requiring HTML tags. In that case, the best thing to do is add an interceptor, or logic in your action to limit the input to a fixed set of tags. and remove tags such as <script>. -Wes -- Wes Wannemacher Author - Struts 2 In Practice Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more http://www.manning.com/wannemacher --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
