struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Van Riper, Mike" <mvanri...@verisign.com>
Subject RE: Evil characters causing mischief in textarea and value attrib ute contents
Date Thu, 18 Sep 2003 17:11:05 GMT
Not 100% certain, but, I believe the default for the HTML form property tags
was to *not* filter (i.e., filter="false") in Struts 1.0 and that was
changed to default to do filtering (i.e., filter="true") in Struts 1.1. I am
certain that the default for 1.1 is to do filtering.

Original post did not say which version of Struts was being used. If my
recollection of 1.0 behavior is correct, then that could explain the
difference in behavior described here for similar JSP logic. In that case,
you simply need to explicitly set filtering on in all your Struts 1.0
<html:xxx> form property tags.

The filter utility function (can't recall from memory the class
name/package, but, check the source for the <html:xxx> tags to find where it
is defined in Struts sources) converts the quote character and less-than and
greater-than characters to their character entity equivalents.

FYI, Van

Mike Van Riper
mailto:mike.vanriper@baychi.org
http://www.baychi.org/bof/struts/

> -----Original Message-----
> From: Adam Hardy [mailto:ahardy.struts@cyberspaceroad.com]
> Sent: Thursday, September 18, 2003 4:38 AM
> To: Struts Users Mailing List
> Subject: Re: Evil characters causing mischief in textarea and value
> attribute contents
> 
> 
> Hi Andrew,
> I thought, man, you don't know that? Hahaha - and then I realised I 
> don't know either.
> 
> I just checked my app to make sure it's not happening to me too, and 
> it's not. I have stuff like ""snowflake"" in the database and it gets 
> encoded automatically into
> 
> value="a html-busting &quot;character&quot;"
> 
> via <html:text>. Presumably <html:textarea> is the same.
> 
> If you have <bean:write> you can add filter="true".
> 
> 
> Adam
> 
> On 09/18/2003 12:36 PM Andrew Hill wrote:
> > We have some screens that allow users to edit some stuff 
> stored in the db,
> > and some of this stuff includes such characters as " or \ 
> or whatever, and
> > also some of them have xml tags as there contents.
> > 
> > When rendering such fields we are hitting some problems.
> > ie: if the value is something like:
> > my cats name is "snowflake"
> > 
> > we end up with:
> > <input name="fieldname" value="my cats name is ""snowflake""/>
> > 
> > ...which of course is not very good.
> > 
> > Another one is textareas containing </textarea>!
> > 
> > Whats the technique for handling this nicely?
> > Obviously I need to escape these somehow. What do I need to 
> consider?
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> > 
> > 
> 
> -- 
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message