Jeff, The way that I solved this was to implement my own subclass of the TilesRequestProcessor (because we use Tiles) and then specify that request processor in the controller element of the struts config file. In this subclass, I override processValidate() and in my override I wrap the incoming request object with my own extension of HttpServletRequestWrapper (part of 2.3 Servlet API, but, you could just pull that class into your project to make this work with a servlet container that only supports the 2.2 version of the Servlet API). My extension of the request wrapper class has both a helper function to do validation of the request parameters for XSS *and* filtering on the parameter getter functions to prevent a round-trip back to the client of any nasty XSS stuff.
This allows me to do the XSS check in one bottleneck and treat it as a form validation error when XSS request parameter data is detected. If the XSS validation check passes, then I call the super.processValidate() and let Struts take it form there. I suppose something similar could be done using a request filter, but, I like doing it inside the request processor where I have access to the associated Struts action mapping along with the request object. With the action mapping available to me, I can do logical forwarding using struts configuration settings in this context that I wouldn't be able to do with a separate request filter. I've used this technique successfully on several projects. In one project, the paradigm was to take the user back to the input page with an error message at the top and cleaned up data redisplayed in the form. In another project, they preferred to go to a separate error page specific to XSS errors. With this approach, I was able to implement the first way relying on the "input" setting of the associated action mapping. I was also able to implement the second approach using a global forward for the error page and doing a lookup (i.e., mapping.findForward()) to implement the error handling that way. Hope this helps, Van Mike "Van" Riper Silicon Valley Struts User Group http://www.baychi.org/bof/struts/ > -----Original Message----- > From: jeff mutonho [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 05, 2004 4:52 AM > To: [EMAIL PROTECTED] > Subject: Dealing with XSS in struts > > > Hi > What are the recommendations to deal with cross-site > scripting in struts? > I'm got an app that a use can access at a URL , let's call > it http://localhost/myapplication , now doing something like > > http://localhost/myapplication/applicationInit.do?mode=<script > alert(document.cookie)</script> > reveals a pop-up box containing the currently set cookies. > > How can I block that from happening?Is there a way of encoding a form bean? > Please help as this is critical to the app. > > jeff mutonho --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
