I don't want to use HDIV because: 1. i do not know muc about it (yet) 2. seems to be "heavy weight" - I don't need all of its capabilities
But I have the feeling you know more about HDIV. As far as I know HDIV also changes urls, which I also don't want. I just want to make my html forms secure against xss and nothing else. and of courese i fo not have a form on on every page... Pars ----- Ursprüngliche Mail ---- Von: Dave Newton <davelnew...@gmail.com> An: Struts Users Mailing List <user@struts.apache.org> Gesendet: Freitag, den 1. Oktober 2010, 14:46:03 Uhr Betreff: Re: Best Practices for handling of XSS attacks An interceptor seems like a reasonable solution. Why don't you want to use HDIV? Dave On Fri, Oct 1, 2010 at 3:15 AM, Pars Man <parsmani...@yahoo.de> wrote: > Hi, > > I am currently checking the web to find something about how to handle XSS > attacks in my Struts2 application. > Unfortunately I just cannot find anything. > > I do not want to use HDIV (http://www.hdiv.org/) or the HDIV-Plugin > (https://cwiki.apache.org/S2PLUGINS/home.html). > > What I thought of is an Interceptor that escapes the special characters of > all > parameters that are sent, i.e. by using StringEscapeUtils which is included > in > commons-lang.jar > (see http://www.mkyong.com/java/how-to-escape-special-characters-in-java/ > ). > > 1. How would you manage such a requirement? > 2. What are the Best Practices? > 3. Would you use an Interceptor and if yes how would it look like? > 4. What options do I have? > 5. What are the pros and cons? > > Thanks > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
