You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Peter Stavrinides <P....@albourne.com> on 2008/05/23 12:41:27 UTC
Tapestry 5 validation for cross site scripting
Hi All
Can anyone offer suggestions on best practice for handling validation specifically for preventing cross site scripting and code injection etc in Tapestry applications. Is there anything built into the framework I could use... if not what is the best way to plug something of my own in. What I mean is should I write my own validator/s and use them in every form component?, or is there a more elegant way I should know about, say a filter or something? Does anyone use a 3rd party library written specifically for this?
Thanks
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry 5 validation for cross site scripting
Posted by Martin Strand <do...@gmail.com>.
I wrote a webmail app once, where cross site scripting was a concern for html email messages.
I parsed the html message to a dom with htmlcleaner, then removed all <script ...> tags , onXXX="..." attributes, and href="javascript:..." links before displaying the message. Perhaps it's over the top for your scenario, but it's a safe solution against XSS. :)
http://htmlcleaner.sourceforge.net/
Martin
On Fri, 23 May 2008 17:45:02 +0200, Peter Stavrinides <P....@albourne.com> wrote:
> Thanks Howard, we will give it a try... this is more appropriate for our requirements!
>
> cheers,
> Peter
> ----- Original Message -----
> From: "Howard Lewis Ship" <hl...@gmail.com>
> To: "Tapestry users" <us...@tapestry.apache.org>
> Sent: Friday, 23 May, 2008 6:20:21 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul
> Subject: Re: Tapestry 5 validation for cross site scripting
>
> Using the "parseClient" event, you could intercept the string
> submitted by the user and do the filtering before the value is
> assigned to a page property.
>
> You could also design a translator for this purpose.
>
> On Fri, May 23, 2008 at 3:41 AM, Peter Stavrinides
> <P....@albourne.com> wrote:
>> Hi All
>>
>> Can anyone offer suggestions on best practice for handling validation specifically for preventing cross site scripting and code injection etc in Tapestry applications. Is there anything built into the framework I could use... if not what is the best way to plug something of my own in. What I mean is should I write my own validator/s and use them in every form component?, or is there a more elegant way I should know about, say a filter or something? Does anyone use a 3rd party library written specifically for this?
>>
>> Thanks
>> Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry 5 validation for cross site scripting
Posted by Peter Stavrinides <P....@albourne.com>.
Thanks Howard, we will give it a try... this is more appropriate for our requirements!
cheers,
Peter
----- Original Message -----
From: "Howard Lewis Ship" <hl...@gmail.com>
To: "Tapestry users" <us...@tapestry.apache.org>
Sent: Friday, 23 May, 2008 6:20:21 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul
Subject: Re: Tapestry 5 validation for cross site scripting
Using the "parseClient" event, you could intercept the string
submitted by the user and do the filtering before the value is
assigned to a page property.
You could also design a translator for this purpose.
On Fri, May 23, 2008 at 3:41 AM, Peter Stavrinides
<P....@albourne.com> wrote:
> Hi All
>
> Can anyone offer suggestions on best practice for handling validation specifically for preventing cross site scripting and code injection etc in Tapestry applications. Is there anything built into the framework I could use... if not what is the best way to plug something of my own in. What I mean is should I write my own validator/s and use them in every form component?, or is there a more elegant way I should know about, say a filter or something? Does anyone use a 3rd party library written specifically for this?
>
> Thanks
> Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Howard M. Lewis Ship
Creator Apache Tapestry and Apache HiveMind
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry 5 validation for cross site scripting
Posted by Howard Lewis Ship <hl...@gmail.com>.
Using the "parseClient" event, you could intercept the string
submitted by the user and do the filtering before the value is
assigned to a page property.
You could also design a translator for this purpose.
On Fri, May 23, 2008 at 3:41 AM, Peter Stavrinides
<P....@albourne.com> wrote:
> Hi All
>
> Can anyone offer suggestions on best practice for handling validation specifically for preventing cross site scripting and code injection etc in Tapestry applications. Is there anything built into the framework I could use... if not what is the best way to plug something of my own in. What I mean is should I write my own validator/s and use them in every form component?, or is there a more elegant way I should know about, say a filter or something? Does anyone use a 3rd party library written specifically for this?
>
> Thanks
> Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Howard M. Lewis Ship
Creator Apache Tapestry and Apache HiveMind
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry 5 validation for cross site scripting
Posted by Thiago HP <th...@gmail.com>.
On 5/23/08, Peter Stavrinides <P....@albourne.com> wrote:
> The data in our database is shared by other apps, so its integrity is most
> important and requires extensive validation... therefore I would have to take a more
> defensive approach and filter out unwanted markup upfront.
What about using the Output component with its parameter filter set to true?
"If true, the default, then output is filtered, escaping any reserved
characters. If false, the output is written raw."
http://tapestry.apache.org/tapestry5/tapestry-core/ref/org/apache/tapestry/corelib/components/Output.html
--
Thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry 5 validation for cross site scripting
Posted by 9902468 <vi...@cerion.fi>.
In that case the answer is simple as Howard already mentioned: just filter
all unwanted stuff in parseClient or with custom validator.
The story is much more challenging when user is allowed to enter some
markup, or even javascript, but not the malicious type :) (We even have had
this in a requirement doc in one project. =D )
-99
Peter Stavrinides wrote:
>
> The data in our database is shared by other apps, so its integrity is most
> important and requires extensive validation... therefore I would have to
> take a more defensive approach and filter out unwanted markup upfront.
>
> ----- Original Message -----
> From: "9902468" <vi...@cerion.fi>
> To: users@tapestry.apache.org
> Sent: Friday, 23 May, 2008 3:40:20 PM GMT +02:00 Athens, Beirut,
> Bucharest, Istanbul
> Subject: Re: Tapestry 5 validation for cross site scripting
>
>
> Hi,
>
> we have always done it so that user can input anything they like, but when
> the page renders some marks like < and > are encoded to html entities.
> This
> way the data is in the database exactly like the user intended, and
> browser
> etc. is safe because dangerous characters are encoded.
>
> If you encode the data that goes to database then other systems might fail
> that use your data. (For an example < encoded has no meaning to some
> systems...
>
> All this is much harder when user is actually allowed to enter markup
> directly to page using, lets say Editor component (that uses fckeditor and
> is missing proper connector...), and that must be displayed correctly.
> Then
> the detection of dangerous markup is little more difficult but javascript
> should be encoded in this situation entirely.
>
> - 99
>
> Ps. feel free to elaborate and comment that approach
>
>
> Peter Stavrinides wrote:
>>
>> Hi All
>>
>> Can anyone offer suggestions on best practice for handling validation
>> specifically for preventing cross site scripting and code injection etc
>> in
>> Tapestry applications. Is there anything built into the framework I could
>> use... if not what is the best way to plug something of my own in. What I
>> mean is should I write my own validator/s and use them in every form
>> component?, or is there a more elegant way I should know about, say a
>> filter or something? Does anyone use a 3rd party library written
>> specifically for this?
>>
>> Thanks
>> Peter
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Tapestry-5-validation-for-cross-site-scripting-tp17423136p17424712.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Tapestry-5-validation-for-cross-site-scripting-tp17423136p17465939.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry 5 validation for cross site scripting
Posted by Peter Stavrinides <P....@albourne.com>.
The data in our database is shared by other apps, so its integrity is most important and requires extensive validation... therefore I would have to take a more defensive approach and filter out unwanted markup upfront.
----- Original Message -----
From: "9902468" <vi...@cerion.fi>
To: users@tapestry.apache.org
Sent: Friday, 23 May, 2008 3:40:20 PM GMT +02:00 Athens, Beirut, Bucharest, Istanbul
Subject: Re: Tapestry 5 validation for cross site scripting
Hi,
we have always done it so that user can input anything they like, but when
the page renders some marks like < and > are encoded to html entities. This
way the data is in the database exactly like the user intended, and browser
etc. is safe because dangerous characters are encoded.
If you encode the data that goes to database then other systems might fail
that use your data. (For an example < encoded has no meaning to some
systems...
All this is much harder when user is actually allowed to enter markup
directly to page using, lets say Editor component (that uses fckeditor and
is missing proper connector...), and that must be displayed correctly. Then
the detection of dangerous markup is little more difficult but javascript
should be encoded in this situation entirely.
- 99
Ps. feel free to elaborate and comment that approach
Peter Stavrinides wrote:
>
> Hi All
>
> Can anyone offer suggestions on best practice for handling validation
> specifically for preventing cross site scripting and code injection etc in
> Tapestry applications. Is there anything built into the framework I could
> use... if not what is the best way to plug something of my own in. What I
> mean is should I write my own validator/s and use them in every form
> component?, or is there a more elegant way I should know about, say a
> filter or something? Does anyone use a 3rd party library written
> specifically for this?
>
> Thanks
> Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Tapestry-5-validation-for-cross-site-scripting-tp17423136p17424712.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Tapestry 5 validation for cross site scripting
Posted by 9902468 <vi...@cerion.fi>.
Hi,
we have always done it so that user can input anything they like, but when
the page renders some marks like < and > are encoded to html entities. This
way the data is in the database exactly like the user intended, and browser
etc. is safe because dangerous characters are encoded.
If you encode the data that goes to database then other systems might fail
that use your data. (For an example < encoded has no meaning to some
systems...
All this is much harder when user is actually allowed to enter markup
directly to page using, lets say Editor component (that uses fckeditor and
is missing proper connector...), and that must be displayed correctly. Then
the detection of dangerous markup is little more difficult but javascript
should be encoded in this situation entirely.
- 99
Ps. feel free to elaborate and comment that approach
Peter Stavrinides wrote:
>
> Hi All
>
> Can anyone offer suggestions on best practice for handling validation
> specifically for preventing cross site scripting and code injection etc in
> Tapestry applications. Is there anything built into the framework I could
> use... if not what is the best way to plug something of my own in. What I
> mean is should I write my own validator/s and use them in every form
> component?, or is there a more elegant way I should know about, say a
> filter or something? Does anyone use a 3rd party library written
> specifically for this?
>
> Thanks
> Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Tapestry-5-validation-for-cross-site-scripting-tp17423136p17424712.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org