You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Brian McSweeney <br...@aurium.net> on 2003/07/14 11:49:50 UTC
two little questions
Question1:
If my application allows users to enter text which will then later be
displayed on
web pages, do I have to ensure that the text they write isn't html. For
example,
lets say a message board application. If a user enters in loads of text
which is
html, will this not mess up the page when it is displayed? If so, how do
people
check for this.
Question2:
If I want my app to be able to allow users to enter text in any language
- eg,
multi-lingual message boards, do I have to configure my database to be
able to
handle multiple language types, or should it just work.
Thanks for any replies,
Brian
RE: two little questions
Posted by Brian McSweeney <br...@aurium.net>.
Thanks Wes,
That's what I'm looking for!
Cheers,
Brian
-----Original Message-----
From: Wes Rood [mailto:wes9999@myfastmail.com]
Sent: 14 July 2003 15:32
To: Struts Users Mailing List
Subject: Re: two little questions
Q1:
Look at OSCore from Opensymphony:
http://www.opensymphony.com/oscore/
Specifically, the plainTextToHtml method in the TextUtils class:
http://www.opensymphony.com/oscore/api/com/opensymphony/util/TextUtils.h
tml#plainTextToHtml(java.lang.String)
This does exactly what Andrew mentions, plus it takes care of line
breaks.
Andrew Hill wrote:
>Other alternative is similar - convert the < and > to < and >
etc...
>so it outputs as though it was text.
>
>-----Original Message-----
>From: Brian McSweeney [mailto:brian.mcsweeney@aurium.net]
>Sent: Monday, 14 July 2003 18:38
>To: 'Struts Users Mailing List'
>Subject: RE: two little questions
>
>
>Hi Simon,
>That was my original idea too. Just wanted to see if other people were
>doing the same.
>
>Cheers,
>Brian
>
>-----Original Message-----
>From: Simon Kelly [mailto:kelly@ipe.fzk.de]
>Sent: 14 July 2003 10:58
>To: Struts Users Mailing List
>Subject: Re: two little questions
>
>For Q1.
>
>You could pass the data that they enter through a paser, that delimits
>out
>the <...> tags by placing '!--' after any '<' and '--' before and '>',
>this
>will stop this text being viewed as html. Or jusr remove the tags or
>allow
>cetain tags and remove any that aren't in the allowable ones!
>
>Cheers
>
>Simon
>
>----- Original Message -----
>From: "Brian McSweeney" <br...@aurium.net>
>To: <st...@jakarta.apache.org>
>Sent: Monday, July 14, 2003 11:49 AM
>Subject: two little questions
>
>
>
>
>>Question1:
>>
>>If my application allows users to enter text which will then later be
>>displayed on
>>web pages, do I have to ensure that the text they write isn't html.
>>
>>
>For
>
>
>>example,
>>lets say a message board application. If a user enters in loads of
>>
>>
>text
>
>
>>which is
>>html, will this not mess up the page when it is displayed? If so, how
>>
>>
>do
>
>
>>people
>>check for this.
>>
>>Question2:
>>
>>If I want my app to be able to allow users to enter text in any
>>
>>
>language
>
>
>>- eg,
>>multi-lingual message boards, do I have to configure my database to be
>>able to
>>handle multiple language types, or should it just work.
>>
>>Thanks for any replies,
>>Brian
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: two little questions
Posted by Wes Rood <we...@myfastmail.com>.
Q1:
Look at OSCore from Opensymphony:
http://www.opensymphony.com/oscore/
Specifically, the plainTextToHtml method in the TextUtils class:
http://www.opensymphony.com/oscore/api/com/opensymphony/util/TextUtils.html#plainTextToHtml(java.lang.String)
This does exactly what Andrew mentions, plus it takes care of line breaks.
Andrew Hill wrote:
>Other alternative is similar - convert the < and > to < and > etc...
>so it outputs as though it was text.
>
>-----Original Message-----
>From: Brian McSweeney [mailto:brian.mcsweeney@aurium.net]
>Sent: Monday, 14 July 2003 18:38
>To: 'Struts Users Mailing List'
>Subject: RE: two little questions
>
>
>Hi Simon,
>That was my original idea too. Just wanted to see if other people were
>doing the same.
>
>Cheers,
>Brian
>
>-----Original Message-----
>From: Simon Kelly [mailto:kelly@ipe.fzk.de]
>Sent: 14 July 2003 10:58
>To: Struts Users Mailing List
>Subject: Re: two little questions
>
>For Q1.
>
>You could pass the data that they enter through a paser, that delimits
>out
>the <...> tags by placing '!--' after any '<' and '--' before and '>',
>this
>will stop this text being viewed as html. Or jusr remove the tags or
>allow
>cetain tags and remove any that aren't in the allowable ones!
>
>Cheers
>
>Simon
>
>----- Original Message -----
>From: "Brian McSweeney" <br...@aurium.net>
>To: <st...@jakarta.apache.org>
>Sent: Monday, July 14, 2003 11:49 AM
>Subject: two little questions
>
>
>
>
>>Question1:
>>
>>If my application allows users to enter text which will then later be
>>displayed on
>>web pages, do I have to ensure that the text they write isn't html.
>>
>>
>For
>
>
>>example,
>>lets say a message board application. If a user enters in loads of
>>
>>
>text
>
>
>>which is
>>html, will this not mess up the page when it is displayed? If so, how
>>
>>
>do
>
>
>>people
>>check for this.
>>
>>Question2:
>>
>>If I want my app to be able to allow users to enter text in any
>>
>>
>language
>
>
>>- eg,
>>multi-lingual message boards, do I have to configure my database to be
>>able to
>>handle multiple language types, or should it just work.
>>
>>Thanks for any replies,
>>Brian
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
>
RE: two little questions
Posted by Andrew Hill <an...@gridnode.com>.
Other alternative is similar - convert the < and > to < and > etc...
so it outputs as though it was text.
-----Original Message-----
From: Brian McSweeney [mailto:brian.mcsweeney@aurium.net]
Sent: Monday, 14 July 2003 18:38
To: 'Struts Users Mailing List'
Subject: RE: two little questions
Hi Simon,
That was my original idea too. Just wanted to see if other people were
doing the same.
Cheers,
Brian
-----Original Message-----
From: Simon Kelly [mailto:kelly@ipe.fzk.de]
Sent: 14 July 2003 10:58
To: Struts Users Mailing List
Subject: Re: two little questions
For Q1.
You could pass the data that they enter through a paser, that delimits
out
the <...> tags by placing '!--' after any '<' and '--' before and '>',
this
will stop this text being viewed as html. Or jusr remove the tags or
allow
cetain tags and remove any that aren't in the allowable ones!
Cheers
Simon
----- Original Message -----
From: "Brian McSweeney" <br...@aurium.net>
To: <st...@jakarta.apache.org>
Sent: Monday, July 14, 2003 11:49 AM
Subject: two little questions
> Question1:
>
> If my application allows users to enter text which will then later be
> displayed on
> web pages, do I have to ensure that the text they write isn't html.
For
> example,
> lets say a message board application. If a user enters in loads of
text
> which is
> html, will this not mess up the page when it is displayed? If so, how
do
> people
> check for this.
>
> Question2:
>
> If I want my app to be able to allow users to enter text in any
language
> - eg,
> multi-lingual message boards, do I have to configure my database to be
> able to
> handle multiple language types, or should it just work.
>
> Thanks for any replies,
> Brian
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: two little questions
Posted by Brian McSweeney <br...@aurium.net>.
Hi Simon,
That was my original idea too. Just wanted to see if other people were
doing the same.
Cheers,
Brian
-----Original Message-----
From: Simon Kelly [mailto:kelly@ipe.fzk.de]
Sent: 14 July 2003 10:58
To: Struts Users Mailing List
Subject: Re: two little questions
For Q1.
You could pass the data that they enter through a paser, that delimits
out
the <...> tags by placing '!--' after any '<' and '--' before and '>',
this
will stop this text being viewed as html. Or jusr remove the tags or
allow
cetain tags and remove any that aren't in the allowable ones!
Cheers
Simon
----- Original Message -----
From: "Brian McSweeney" <br...@aurium.net>
To: <st...@jakarta.apache.org>
Sent: Monday, July 14, 2003 11:49 AM
Subject: two little questions
> Question1:
>
> If my application allows users to enter text which will then later be
> displayed on
> web pages, do I have to ensure that the text they write isn't html.
For
> example,
> lets say a message board application. If a user enters in loads of
text
> which is
> html, will this not mess up the page when it is displayed? If so, how
do
> people
> check for this.
>
> Question2:
>
> If I want my app to be able to allow users to enter text in any
language
> - eg,
> multi-lingual message boards, do I have to configure my database to be
> able to
> handle multiple language types, or should it just work.
>
> Thanks for any replies,
> Brian
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: two little questions
Posted by Simon Kelly <ke...@ipe.fzk.de>.
For Q1.
You could pass the data that they enter through a paser, that delimits out
the <...> tags by placing '!--' after any '<' and '--' before and '>', this
will stop this text being viewed as html. Or jusr remove the tags or allow
cetain tags and remove any that aren't in the allowable ones!
Cheers
Simon
----- Original Message -----
From: "Brian McSweeney" <br...@aurium.net>
To: <st...@jakarta.apache.org>
Sent: Monday, July 14, 2003 11:49 AM
Subject: two little questions
> Question1:
>
> If my application allows users to enter text which will then later be
> displayed on
> web pages, do I have to ensure that the text they write isn't html. For
> example,
> lets say a message board application. If a user enters in loads of text
> which is
> html, will this not mess up the page when it is displayed? If so, how do
> people
> check for this.
>
> Question2:
>
> If I want my app to be able to allow users to enter text in any language
> - eg,
> multi-lingual message boards, do I have to configure my database to be
> able to
> handle multiple language types, or should it just work.
>
> Thanks for any replies,
> Brian
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: two little questions
Posted by Dichotomy <di...@greenmail.ch>.
I would think that Q2 basically depends on which database you're using. You should be able to find out what character encoding your database supports by reading the documentation for the field type you're using (eg varchar).
To complete the answer to your first question with a "why", yes, you should filter out html, unless you know that all the users can be trusted 100% (and you know that you're not storing any sensitive information in cookies). In the olden days, Easyboards allowed html and, incidentally, javascript, AND stored the username and password in a cookie. It was a simple matter to write a script that called an image on my server with, as arguments, the cookie values (don't worry, I only did it as a proof of concept and filtered out the middle characters of all the passwords before posting it up! :-P). If all you store in the cookie is the session ID, you're probably safe from that type of attack. However, there's other annoying things people can do such as break the layout of your forum.
A good solution for an untrusted forum (eg not the internal company forum) would be to turn all the < and > into < and > as suggested, and then to provide the alternative of using UBB-like tags, eg [b]..[/b] for bold, etc. You can pick these out with regular expressions yourself, or if you find them there are probably already libraries out there somewhere that will do this for you.
--
If education is too expensive, try ignorance.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org