Using Spring MVC with JSP:
After some reading, I came to the conclusion, that if I print some value using
${someValue}
no html escaping is done. This is a problem since I want to print texts containing < > etc.
The solution I am going to use is to replace all occurencies of this kind using the <c:out>-tag like
<c:out value="${someValue}" />
My question is: Why would I want to use the short form in the first place?
The only valid usage I'd imagine would be, if I want to render the content of someValue as html (which in my opinion is rather the exceptional case).
EDIT: I've found another post which answers my question about when to use the short form, it can be found here
XSS prevention in JSP/Servlet web application
As stated in the link, it is important to wrap user-controlled input which is being re-displayed since this is the potential source for an attack.
So, if some value does not have any special characters e.g. like < or > and is not a value generated or controlled by the user, the shorthand form ${someValue} can be used.
Related
my application was developed in asp.net mvc 4. we have list of jobs.
now we have allowed all special characters in job name, but
</ characters causes issue in creating <a> anchor tag. I have also tried to create anchor tag with these character on w3schools.com example. I noticed the same thing.
for example, job name => Test </ Test
but it will render ONLY "Test" NOT "Test </ Test".
We are creating this link in "fnRowCallback" using javascript as it is listing of jobs and for that we have used jquery datatable http://legacy.datatables.net/.
Please help me, how to prevent the characters using regular expression on JobName model property.
Thanks in advance.
If you mean for the display part of the anchor tag, everything should be fine - you should be getting ASP.NET MVC to perform any escaping required to represent your text properly in HTML, e.g. using #Html.AnchorLink(...). It's far better to be able to escape everything than to have to restrict your input :)
In general, raw data should never be written directly to the HTML - it can represent a huge security risk, for example. It should always be handled with the appropriate escaping, which should almost always be performed by the web presentation framework you're using rather than by any hand-crafted code.
I would like to know if there is a php echo equivalent in JSF. I would like to publish html from my bean to my facelet.
This is because I want to add three different primefaces components each time a user clicks on one of the component that has been added. I could not achieve this with taglibs.
Thank you
I believe you got confused by builtin XSS prevention of JSF which caused your "plain vanilla" HTML to get escaped and thus displayed as-is instead of being interpreted as part of HTML source. Given that you're familiar with PHP, the explanation is that JSF has basically PHP's htmlspecialchars() by default turned on in all EL expressions printing output.
Just use <h:outputText> with escape attribute set to false to turn off implicit HTML escaping.
<h:outputText value="#{bean.html}" escape="false" />
Please make sure that you're fully aware of the potential XSS attack hole created here when it concerns user-controlled input. Your question at its own already indicates that you had no idea of it.
See also:
CSRF, XSS and SQL Injection attack prevention in JSF
Is it suggested to use h:outputText for everything?
As to the concrete functional requirement,
This is because I want to add three different primefaces components each time a user clicks on one of the component that has been added. I could not achieve this with taglibs.
Please note that JSF code is not HTML code. You should instead be writing those JSF components directly in the view and use the rendered attribute to render them conditionally.
<label for="abc" id="xyz">http://abc.com/player.js</xref>?xyz="foo" </label>
is ignoring
</xref> tag
value in the browser. So, the displayed output is
http://abc.com/player.js?xyz="foo"
but i want the browser to display
http://abc.com/player.js</xref>?xyz="foo"
Please help me how to achieve this.
It isn't being ignored. It is being treated as an end tag (for a non-HTML element that has no start tag). Use < if you want a < character to appear as data instead of as "start of tag".
That said, this is a URL and raw <, > and " characters shouldn't appear in URIs anyway. So encode it as http://abc.com/player.js%3C/xref%3E?xyz=%22foo%22
You should do it like this
"http://abc.com/player.js%3C/xref%3E?xyz=foo"
Url should be encoded properly to work as valid URL
Use encodeURI for encoding URLs for a valid one
var ValidURL = encodeURI("http://abc.com/player.js</xref>?xyz=foo");
See this answer on encodeURI for better knowledge.
I misunderstood the question, I thought the URI was to be used elsewhere within JavaScript. But the question pretty clearly states that the URI is to just be rendered as text.
If the text being displayed is being passed in from a server, then your best bet is to encode it before printing it on the page (or if you're using a template engine, then you can most likely just encode it on the template). Pretty much any web framework/templating engine should have this functionality.
However, if it is just static HTML, just manually encode the the characters. If you don't know the codes off the top of your head, you can just use some online converter to help, such as something like:
HTML Encode/Decode:
http://htmlentities.net/
Old Answer:
Try encoding the URI using the JavaScript function encodeURI before using it:
encodeURI('http://abc.com/player.js</xref>?xyz="foo"');
You can also decode it using decodeURI if need be:
decodeURI(yourEncodedURI);
So ultimately I don't think you'll be able to get the browser to display the </xref> tag as is, but you will be able to preserve it (using encodeURI/decodeURI) and use it in your code, if this is what you need.
Fiddle:
http://jsfiddle.net/rk8nR/3/
More info:
When are you supposed to use escape instead of encodeURI / encodeURIComponent?
I've recently learned that i shouldn't store html encoded data in the database, but i should rather html encode the data that is shown on the screen for the user.
No big deal, i have to fix my database records and make some code changes.
But my question is, when should I use html encode and when shouldn't I.
For example, within a html table, I'm writing directly from the database to the inner HTML of a column. Without encoding this would be dangerous, I get that.
What about when setting the value of a textbox. It seems to work without having to html encode the value. But I'm not sure why. This is what the textbox look like:
<input type="textbox" value="xxx"/>
But when setting the value to: "/><p style="font-size: 100px;">testing hack</p>
The html source will be:
<input type="textbox" value=""/><p style="font-size: 100px;">testing hack</p>
It will look fine though when viewed so the p-tag isn't working as intended by the "hack".
Is anyone getting what I'm trying to aim at :) ?
If I do try to html encode something i set to a textbox value, the result will display "<" and so on, which is not what I intended.
So in short: Should I only html encode stuff that is set to the innerHtml of html-controls, and not when setting the value of, for example, textboxes?
The answer came out of thejh's and my discussion in the comment to the question. I was not sure what to mark as answer so I decided to answer my own question. I hope that's ok.
It seems like when setting a value of an attribute (like the textbox's "value") .NET automatically html encodes the value so there is no need to do this by yourself.
When setting a html controls inner HTML though, it's important that you do html encode the value.
Thanks Thejh, sorry I couldn't up vote anything u wrote.
edit: I can't mark this as the answer for another 2 days.
in the case of
<input type="textbox" value="xxx"/>
'xxx' is an attribute, and you should use a different encoding. In ASP.NET it's HtmlAttributeEncode for example.
For HTML attributes, encode backslashes and double quotes.
Replace every \ by \\
Replace every " by \"
Oh, by the way: Sometimes PHP does this for you, see here.
This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.
How do I limit the types of HTML that a user can input into a textbox? I'm running a small forum using some custom software that I'm beta testing, but I need to know how to limit the HTML input. Any suggestions?
i'd suggest a slightly alternative approach:
don't filter incoming user data (beyond prevention of sql injection). user data should be kept as pure as possible.
filter all outgoing data from the database, this is where things like tag stripping, etc.. should happen
keeping user data clean allows you more flexibility in how it's displayed. filtering all outgoing data is a good habit to get into (along the never trust data meme).
You didn't state what the forum was built with, but if it's PHP, check out:
http://htmlpurifier.org/
Library Features: Whitelist, Removal, Well-formed, Nesting, Attributes, XSS safe, Standards safe
Once the text is submitted, you could strip any/all tags that don't match your predefined set using a regex in PHP.
It would look something like the following:
find open tag (<)
if contents != allowed tag, remove tag (from <..>)
Parse the input provides and strip out all html tags that don't match exactly the list you are allowing. This can either be a complex regex, or you can do a stateful iteration through the char[] of the input string building the allowed input string and stripping unwanted attributes on tags like img.
Use a different code system (BBCode, Markdown)
Find some code online that already does this, to use as a basis for your implementation. For example Slashcode must perform this, so look for its implementation in the Perl and use the regexes (that I assume are there)
Regardless what you use, be sure to be informed of what kind of HTML content can be dangerous.
e.g. a < script > tag is pretty obvious, but a < style > tag is just as bad in IE, because it can invoke JScript commands.
In fact, any style="..." attribute can invoke script in IE.
< object > would be one more tag to be weary of.
PHP comes with a simple function strip_tag to strip HTML tags. It allows for certain tags to not be stripped.
Example #1 strip_tags() example
<?php
$text = '<p>Test paragraph.</p><!-- Comment --> Other text';
echo strip_tags($text);
echo "\n";
// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>
The above example will output:
Test paragraph. Other text
<p>Test paragraph.</p> Other text
Personally for a forum, I would use BBCode or Markdown because the amount of support and features provided such as live preview.