Thanks for the great answer Wes. I had to think about it a little but it all makes sense. The interceptor is a good idea for checking data, I hadn't quite gotten that far in my thinking.
Wes Wannemacher wrote: > > On Sunday 18 January 2009 09:34:23 doahh wrote: >> I have been thinking about protecting an app form SQL injection and XSS >> attacks but currently know very little about this area of security. I >> started out using the Http Data Integrity Validation Framework (HDIV) but >> found it was a little to secure in that it broke bookmarks, the back >> button >> and attempted to grab every exception and claim it was an attack; I have >> now removed it. I have the following questions: >> >> 1) If a user enters some kind of attack into a form field does struts >> provide any defense against this? >> 2) If not should I be checking the input for double quotes, single quote, >> html close tags etc and escaping/encoding them or is there a better way? > > The short answer to this question is "no." > > However, since Java/JSP is not perl or PHP, the backtick quotes are not a > problem. To protect against SQL injection, do not construct SQL queries > using > String manipulation. In almost every language, this alone is the hole. In > Java/JDBC the proper facility for setting parameters in a query is to use > placeholder. This means preparing a statement handle and calling the > setparameter family of methods. By doing this, the JDBC driver will escape > all > characters that need it. > > This will leave you to deal with HTML tags. Struts does provide some > facilities for dealing with this. If all submitted data will be set in a > struts-y way such as action properties, then you can use the s:property > tag > which has an "escape" parameter which will escape the result before > displaying > it. Unfortunately, this gives you a all-or-nothing solution. In some cases > you > might want a solution that allows for rich-text editing, such as using > TinyMCE > which will legitimately require the user to submit content requiring HTML > tags. In that case, the best thing to do is add an interceptor, or logic > in > your action to limit the input to a fixed set of tags. and remove tags > such as > <script>. > > -Wes > > -- > > Wes Wannemacher > Author - Struts 2 In Practice > Includes coverage of Struts 2.1, Spring, JPA, JQuery, Sitemesh and more > http://www.manning.com/wannemacher > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > > -- View this message in context: http://www.nabble.com/Does-struts2-sanatise-the-input-from-forms--tp21528467p21530402.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
