Re: ApplicationResources.properties

[Craig McClanahan]

On 1/14/06, Garner, Shawn <[EMAIL PROTECTED]> wrote:

It's the <h:outputText and <h:outputFormat ones.
Turn filtering off eh.  Will have to try it.
My question is what good does the filtering do you and why do you need it
defaulted on?

Because way too many web developers have unwittingly exposed themselves to cross site scripting attacks.

Consider an application that lets you fill out a form, and stores the information in a database.  Now, pretend for a moment that the output text component did no filtering.  Finally, assume that a malicious user typed the following string into the input field whose content is now being rendered:

    <script type="text/_javascript_">alert("Hi there")</script>

Unless your application explicitly checks for markup in ALL your input fields, you have just let a malicious attacker execute arbitrary _javascript_.  Much better to know that the component will take care of this for you, unless you explicitly turn it off.

Shawn

Craig
 

-----Original Message-----
From: [EMAIL PROTECTED]
To: MyFaces Discussion
Sent: 1/14/2006 9:17 PM
Subject: Re: ApplicationResources.properties



On 1/14/06, Garner, Shawn < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote:

>>Try HTML escape sequences, like &gt; for >
This doesn't work either.  I just prints &gt; and &lt; and still doesn't
resolve them as html.

I used html markup in this file in struts just fine.
All our text is in the properties file.  How els are you suppose to bold
and
italicize certain words.  Seems painful to have to make a seperate key
for
this purpose.


Which component are you using to render the markup?  Just like their
Struts counterparts, most JSF components that emit text will default to
filtering "dangerous" markup characters.  Just as one example, you can
turn filtering off with the standard output text component like this:

  <h:outputText ... value="#{...}" ... escape="false"/>



Shawn


Craig



-----Original Message-----
From: Dennis Byrne
To: MyFaces Discussion
Sent: 1/14/2006 4:33 PM
Subject: Re: ApplicationResources.properties

Try HTML escape sequences, like &gt; for >

... although .properties files were really not designed for HTML .

Dennis Byrne

>-----Original Message-----
>From: Garner, Shawn [mailto: [EMAIL PROTECTED]
<mailto: [EMAIL PROTECTED]> ]
>Sent: Saturday, January 14, 2006 04:02 PM
>To: ' users@myfaces.apache.org <mailto: users@myfaces.apache.org>  '
>Subject: ApplicationResources.properties
>
>I have my resource bundle keys in an ApplicationResources.properties
file.
>
>However there are some keys in there that have html in them.
>Instead of resolving the html it is just printing it on the page as
text.
>
>How do I fix this?
>
>Thanks,
>Shawn
>
>***********************************************************************

*****
>This email may contain confidential material.
>If you were not an intended recipient,
>Please notify the sender and delete all copies.
>We may monitor email to and from our network.
>***********************************************************************

*****
>


************************************************************************
****
This email may contain confidential material.
If you were not an intended recipient,
Please notify the sender and delete all copies.
We may monitor email to and from our network.
************************************************************************
****




****************************************************************************
This email may contain confidential material.
If you were not an intended recipient,
Please notify the sender and delete all copies.
We may monitor email to and from our network.
****************************************************************************