I would like to know if there is a php echo equivalent in JSF. I would like to publish html from my bean to my facelet.
This is because I want to add three different primefaces components each time a user clicks on one of the component that has been added. I could not achieve this with taglibs.
Thank you
I believe you got confused by builtin XSS prevention of JSF which caused your "plain vanilla" HTML to get escaped and thus displayed as-is instead of being interpreted as part of HTML source. Given that you're familiar with PHP, the explanation is that JSF has basically PHP's htmlspecialchars() by default turned on in all EL expressions printing output.
Just use <h:outputText> with escape attribute set to false to turn off implicit HTML escaping.
<h:outputText value="#{bean.html}" escape="false" />
Please make sure that you're fully aware of the potential XSS attack hole created here when it concerns user-controlled input. Your question at its own already indicates that you had no idea of it.
See also:
CSRF, XSS and SQL Injection attack prevention in JSF
Is it suggested to use h:outputText for everything?
As to the concrete functional requirement,
This is because I want to add three different primefaces components each time a user clicks on one of the component that has been added. I could not achieve this with taglibs.
Please note that JSF code is not HTML code. You should instead be writing those JSF components directly in the view and use the rendered attribute to render them conditionally.
Related
Using Spring MVC with JSP:
After some reading, I came to the conclusion, that if I print some value using
${someValue}
no html escaping is done. This is a problem since I want to print texts containing < > etc.
The solution I am going to use is to replace all occurencies of this kind using the <c:out>-tag like
<c:out value="${someValue}" />
My question is: Why would I want to use the short form in the first place?
The only valid usage I'd imagine would be, if I want to render the content of someValue as html (which in my opinion is rather the exceptional case).
EDIT: I've found another post which answers my question about when to use the short form, it can be found here
XSS prevention in JSP/Servlet web application
As stated in the link, it is important to wrap user-controlled input which is being re-displayed since this is the potential source for an attack.
So, if some value does not have any special characters e.g. like < or > and is not a value generated or controlled by the user, the shorthand form ${someValue} can be used.
my application was developed in asp.net mvc 4. we have list of jobs.
now we have allowed all special characters in job name, but
</ characters causes issue in creating <a> anchor tag. I have also tried to create anchor tag with these character on w3schools.com example. I noticed the same thing.
for example, job name => Test </ Test
but it will render ONLY "Test" NOT "Test </ Test".
We are creating this link in "fnRowCallback" using javascript as it is listing of jobs and for that we have used jquery datatable http://legacy.datatables.net/.
Please help me, how to prevent the characters using regular expression on JobName model property.
Thanks in advance.
If you mean for the display part of the anchor tag, everything should be fine - you should be getting ASP.NET MVC to perform any escaping required to represent your text properly in HTML, e.g. using #Html.AnchorLink(...). It's far better to be able to escape everything than to have to restrict your input :)
In general, raw data should never be written directly to the HTML - it can represent a huge security risk, for example. It should always be handled with the appropriate escaping, which should almost always be performed by the web presentation framework you're using rather than by any hand-crafted code.
I'm trying to understand why do I need to use XSS library when I can merely do HtlEncode when sending data from server to client ...?
For example , here in Stackoverflow.com - the editor - all the SO tem neads to do is save the user input and display it with html encode.
This way - there will never going to be a HTML tag - which is going to be executed.
I'm probably wrong here -but can you please contradict my statement , or exaplain?
For example :
I know that IMG tag for example , can has onmouseover , onload which a user can do malicious scripts , but the IMG won't event run in the browser as IMG since it's <img> and not <img>
So - where is the problem ?
HTML-encoding is itself one feature an “XSS library” might provide. This can be useful when the platform doesn't have a native HTML encoder (eg scriptlet-based JSP) or the native HTML encoder is inadequate (eg not escaping quotes for use in attributes, or ]]> if you're using XHTML, or #{} if you're worried about cross-origin-stylesheet-inclusion attacks).
There might also be other encoders for other situations, for example injecting into JavaScript strings in a <script> block or URL parameters in an href attribute, which are not provided directly by the platform/templating language.
Another useful feature an XSS library could provide might be HTML sanitisation, for when you want to allow the user to input data in HTML format, but restrict which tags and attributes they use to a safe whitelist.
Another less-useful feature an XSS library could provide might be automated scanning and filtering of input for HTML-special characters. Maybe this is the kind of feature you are objecting to? Certainly trying to handle HTML-injection (an output stage issue) at the input stage is a misguided approach that security tools should not be encouraging.
HTML encoding is only one aspect of making your output safe against XSS.
For example, if you output a string to JavaScript using this code:
<script>
var enteredName = '<%=EnteredNameVariableFromServer %>';
</script>
You will be wanting to hex entity encode the variable for proper insertion in JavaScript, not HTML encode. Suppose the value of EnteredNameVariableFromServer is O'leary, then the rendered code when properly encoded will become:
<script>
var enteredName = 'O\x27leary';
</script>
In this case this prevents the ' character from breaking out of the string and into the JavaScript code context, and also ensures proper treatment of the variable (HTML encoding it would result in the literal value of O'leary being used in JavaScript, affecting processing and display of the value).
Side note:
Also, that's not quite true of Stack Overflow. Certain characters still have special meanings like in the <!-- language: lang-none --> tag. See this post on syntax highlighting if you're interested.
I have an HTML form rendered by PL/SQL procedure that has an input field for comments to be entered by the user. In case, he enters some script and submits, the same gets inserted into database. To escape it while inserting the data, we can use htf.escape_sc function (takes care at back-end level). But can we do that for html at front-end level itself? If so, how to proceed?
you may wish to have a look at validation widgets from some js framework. offhand i remember kendoui (kendo ui validator) and jqwidgets (jqxValidator). however beware as both toolkits are commercial. jqueryUI should have similar functionality for free, though.
in case you prefer a plain html5 solution have a look at HTML5 Form Validation / Constraint Validation API. There also are an article on mozilla MDN, a list of Supporting browsers, and of course the official standard.
however, a plain html solution will not perform any conversion - which means that the user has to enter the data in the way it is expected at the other end, which in your case is probably nothing you'd want to burden the user with ...
ps:
this fiddle contains an elementary example for validating against a pattern.
disclaimer: i'm not affiliated with any of the named toolkits' producers.
I need to fix XSS issues in my application. Now I am new to JSON and XSS. I think of two ways attacks can happen - first is through html input controls (text boxe/area etc) or through request parameters which are visible in the url (GET). Please suggest if i am missing something here?
I am thinking to use AntiSamy (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project). I am thinking of creating a custom tag which would contain the value of html controls e.g.
<input type="text" NAME="name" value="<mytag:xssclean><c:out value= escapeXml="false"/></mytag:xssclean>
this tag class would actually use antisamy to scan the html content. will this take care of encoding any malicious javascript content entered into text box/area before sending those parameters to controller classes and then eventually to database? Or would it only encode the content which is coming from controller classes to get rendered on jsp?
Is this the right approach? When would i need to validate on the java side (controller classes by direct validation using antisamy) versus on jsp (with new tag)?
Additionally I have many jsp's which do not have direct form fields with html controls but their struture is created dynamically and jason string is given to the jsp. jsp would simply have : where 'value' would contain the final jason to be rendered on html (including html fields). Do we need to apply XSS solution using antisamy on jason strings or jason data is already safe from XSS attacks and the thing like are already present as text in jason? where should i resolve this issue for json cases?