In that case the answer is simple as Howard already mentioned: just filter all unwanted stuff in parseClient or with custom validator.
The story is much more challenging when user is allowed to enter some markup, or even javascript, but not the malicious type :) (We even have had this in a requirement doc in one project. =D ) -99 Peter Stavrinides wrote: > > The data in our database is shared by other apps, so its integrity is most > important and requires extensive validation... therefore I would have to > take a more defensive approach and filter out unwanted markup upfront. > > ----- Original Message ----- > From: "9902468" <[EMAIL PROTECTED]> > To: users@tapestry.apache.org > Sent: Friday, 23 May, 2008 3:40:20 PM GMT +02:00 Athens, Beirut, > Bucharest, Istanbul > Subject: Re: Tapestry 5 validation for cross site scripting > > > Hi, > > we have always done it so that user can input anything they like, but when > the page renders some marks like < and > are encoded to html entities. > This > way the data is in the database exactly like the user intended, and > browser > etc. is safe because dangerous characters are encoded. > > If you encode the data that goes to database then other systems might fail > that use your data. (For an example < encoded has no meaning to some > systems... > > All this is much harder when user is actually allowed to enter markup > directly to page using, lets say Editor component (that uses fckeditor and > is missing proper connector...), and that must be displayed correctly. > Then > the detection of dangerous markup is little more difficult but javascript > should be encoded in this situation entirely. > > - 99 > > Ps. feel free to elaborate and comment that approach > > > Peter Stavrinides wrote: >> >> Hi All >> >> Can anyone offer suggestions on best practice for handling validation >> specifically for preventing cross site scripting and code injection etc >> in >> Tapestry applications. Is there anything built into the framework I could >> use... if not what is the best way to plug something of my own in. What I >> mean is should I write my own validator/s and use them in every form >> component?, or is there a more elegant way I should know about, say a >> filter or something? Does anyone use a 3rd party library written >> specifically for this? >> >> Thanks >> Peter >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > > -- > View this message in context: > http://www.nabble.com/Tapestry-5-validation-for-cross-site-scripting-tp17423136p17424712.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Tapestry-5-validation-for-cross-site-scripting-tp17423136p17465939.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
