struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From doahh <>
Subject Re: Does struts2 sanatise the input from forms?
Date Sun, 18 Jan 2009 17:23:59 GMT

Thanks for the great answer Wes. I had to think about it a little but it all
makes sense. The interceptor is a good idea for checking data, I hadn't
quite gotten that far in my thinking.

Wes Wannemacher wrote:
> On Sunday 18 January 2009 09:34:23 doahh wrote:
>> I have been thinking about protecting an app form SQL injection and XSS
>> attacks but currently know very little about this area of security. I
>> started out using the Http Data Integrity Validation Framework (HDIV) but
>> found it was a little to secure in that it broke bookmarks, the back
>> button
>> and attempted to grab every exception and claim it was an attack; I have
>> now removed it. I have the following questions:
>> 1) If a user enters some kind of attack into a form field does struts
>> provide any defense against this?
>> 2) If not should I be checking the input for double quotes, single quote,
>> html close tags etc  and escaping/encoding them or is there a better way?
> The short answer to this question is "no." 
> However, since Java/JSP is not perl or PHP, the backtick quotes are not a 
> problem. To protect against SQL injection, do not construct SQL queries
> using 
> String manipulation. In almost every language, this alone is the hole. In 
> Java/JDBC the proper facility for setting parameters in a query is to use 
> placeholder. This means preparing a statement handle and calling the 
> setparameter family of methods. By doing this, the JDBC driver will escape
> all 
> characters that need it. 
> This will leave you to deal with HTML tags. Struts does provide some 
> facilities for dealing with this. If all submitted data will be set in a 
> struts-y way such as action properties, then you can use the s:property
> tag 
> which has an "escape" parameter which will escape the result before
> displaying 
> it. Unfortunately, this gives you a all-or-nothing solution. In some cases
> you 
> might want a solution that allows for rich-text editing, such as using
> TinyMCE 
> which will legitimately require the user to submit content requiring HTML 
> tags. In that case, the best thing to do is add an interceptor, or logic
> in 
> your action to limit the input to a fixed set of tags. and remove tags
> such as 
> <script>.
> -Wes
> -- 
> Wes Wannemacher
> Author - Struts 2 In Practice 
> Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Struts - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message