Re: Pattern or strategy to sanitize input for cross-site scripting characters.

["Martijn Brinkers (List)" <ma...@gmail.com>]

It's not typical to html escape input. HTML is about presentation and
most input is just input. In other words, you want to HTML escape just
before presenting the input to the user but not store the input escaped
(at least I think that's what most applications use).

Tapestry does already HTML escape all output unless you render the data
raw on purpose. There are however a few things that should be careful
of. If you dynamically add some Javascript based on user input (using a
Mixin for example) you should make sure that the user input cannot
'escape' the quotes of your Javascript code because that would create a
possible XSS vulnerability.

Martijn

On Thu, 2008-08-21 at 12:12 -0600, Eric Rogers wrote:
> Hello Howard,
> 
> Does Tapestry provide any way to do this on input, even if it is just for
> all form data that is submitted?  Perhaps being able to wire an interceptor
> of some form in?
> 
> Thanks,
> 
> Eric
> 
> 
> On Thu, Aug 21, 2008 at 11:57 AM, Eric Rogers <pu...@gmail.com> wrote:
> 
> > Hello Howard,
> >
> > Thanks for the information.
> >
> > Thanks,
> >
> > Eric
> >
> >
> >
> > On Tue, Aug 19, 2008 at 1:18 PM, Howard Lewis Ship <hl...@gmail.com>wrote:
> >
> >> Tapestry mostly captures this on the output side; that is, when you
> >> output a string (using, say ${property} expansion), the output is
> >> filtered; the key HTML entities, "<", "&" and ">", are converted to
> >> proper entities: "&lt;", etc.
> >>
> >> On Tue, Aug 19, 2008 at 11:11 AM, Eric Rogers <pu...@gmail.com>
> >> wrote:
> >> > Hello All,
> >> >
> >> > I am using Tapestry 5.0.14 and am looking to filter input in my Tapestry
> >> > application for characters related to cross-site scripting.  Some input
> >> is
> >> > from regular form submission, while other input is received using AJAX
> >> event
> >> > listeners and JSON.  I realize that one can use a custom translator to
> >> scrub
> >> > any unwanted characters from input for a given field.  However, I was
> >> > wondering if anyone has come across a more general pattern or strategy
> >> to do
> >> > this for both form and JSON input without having to explicitly define a
> >> > translator for form fields, and manually call some method to do the same
> >> for
> >> > a JSONObject.
> >> >
> >> > Thanks,
> >> >
> >> > Eric
> >> >
> >>
> >>
> >>
> >> --
> >> Howard M. Lewis Ship
> >>
> >> Creator Apache Tapestry and Apache HiveMind
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> For additional commands, e-mail: users-help@tapestry.apache.org
> >>
> >>
> >


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Pattern or strategy to sanitize input for cross-site scripting characters.

[Eric Rogers <pu...@gmail.com>]

Thanks, greatly appreciated.

Eric

On Thu, Aug 21, 2008 at 12:27 PM, Martijn Brinkers (List) <
martijn.list@gmail.com> wrote:

> It's not typical to html escape input. HTML is about presentation and
> most input is just input. In other words, you want to HTML escape just
> before presenting the input to the user but not store the input escaped
> (at least I think that's what most applications use).
>
> Tapestry does already HTML escape all output unless you render the data
> raw on purpose. There are however a few things that should be careful
> of. If you dynamically add some Javascript based on user input (using a
> Mixin for example) you should make sure that the user input cannot
> 'escape' the quotes of your Javascript code because that would create a
> possible XSS vulnerability.
>
> Martijn
>
> On Thu, 2008-08-21 at 12:12 -0600, Eric Rogers wrote:
> > Hello Howard,
> >
> > Does Tapestry provide any way to do this on input, even if it is just for
> > all form data that is submitted?  Perhaps being able to wire an
> interceptor
> > of some form in?
> >
> > Thanks,
> >
> > Eric
> >
> >
> > On Thu, Aug 21, 2008 at 11:57 AM, Eric Rogers <pu...@gmail.com>
> wrote:
> >
> > > Hello Howard,
> > >
> > > Thanks for the information.
> > >
> > > Thanks,
> > >
> > > Eric
> > >
> > >
> > >
> > > On Tue, Aug 19, 2008 at 1:18 PM, Howard Lewis Ship <hlship@gmail.com
> >wrote:
> > >
> > >> Tapestry mostly captures this on the output side; that is, when you
> > >> output a string (using, say ${property} expansion), the output is
> > >> filtered; the key HTML entities, "<", "&" and ">", are converted to
> > >> proper entities: "&lt;", etc.
> > >>
> > >> On Tue, Aug 19, 2008 at 11:11 AM, Eric Rogers <pu...@gmail.com>
> > >> wrote:
> > >> > Hello All,
> > >> >
> > >> > I am using Tapestry 5.0.14 and am looking to filter input in my
> Tapestry
> > >> > application for characters related to cross-site scripting.  Some
> input
> > >> is
> > >> > from regular form submission, while other input is received using
> AJAX
> > >> event
> > >> > listeners and JSON.  I realize that one can use a custom translator
> to
> > >> scrub
> > >> > any unwanted characters from input for a given field.  However, I
> was
> > >> > wondering if anyone has come across a more general pattern or
> strategy
> > >> to do
> > >> > this for both form and JSON input without having to explicitly
> define a
> > >> > translator for form fields, and manually call some method to do the
> same
> > >> for
> > >> > a JSONObject.
> > >> >
> > >> > Thanks,
> > >> >
> > >> > Eric
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Howard M. Lewis Ship
> > >>
> > >> Creator Apache Tapestry and Apache HiveMind
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > >> For additional commands, e-mail: users-help@tapestry.apache.org
> > >>
> > >>
> > >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>