You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Edgar Poce <ed...@gmail.com> on 2004/12/19 22:51:32 UTC
Escape html
Hi
TagUtils.filter(String value) only filters 4 html sensitive characters
while there are many more. Is there any special reason or it's a bug?
Regards
Edgar
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Escape html
Posted by Craig McClanahan <cr...@gmail.com>.
On Sun, 19 Dec 2004 19:24:23 -0300, Edgar Poce <ed...@gmail.com> wrote:
> > Are there any other characters that should be filtered for security
> > reasons?
>
> I think there are not. I thought it was a html escape tool and I
> expected it replaced 'à' with "à" for example. But I see it's not
> the purpose.
>
> Has it any sense to add an "escape" attribute with values "html",
> "javascript", ...?
I guess I am still missing the use case for doing this sort of thing
... what's the reasoning?
If you're talking about webapps, by the way, another option is to use
a Servlet Filter that intercepts the output and performs this sort of
transformation. That solution would work on *any* way to generate the
markup -- without requiring that the application source be modified.
>
> Thanks for your quick response
> Edgar
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Escape html
Posted by Edgar Poce <ed...@gmail.com>.
> Are there any other characters that should be filtered for security
> reasons?
I think there are not. I thought it was a html escape tool and I
expected it replaced 'à' with "à" for example. But I see it's not
the purpose.
Has it any sense to add an "escape" attribute with values "html",
"javascript", ...?
Thanks for your quick response
Edgar
Craig McClanahan wrote:
> The purpose for filtering these four characters is to avoid cross site
> scripting attacks that would otherwise be possible if an application
> accepted an input text field that had something like a <script>
> element in it, and then wrote that text to an HTML output stream with
> no modifications.
>
> Are there any other characters that should be filtered for security
> reasons? If not, what's the use case for converting anything else to
> its &xxx; equivalent? Which, among other things, can cause you some
> grief if you're trying to do XML validation of the resulting output.
>
> Craig
>
>
> On Sun, 19 Dec 2004 18:51:32 -0300, Edgar Poce <ed...@gmail.com> wrote:
>
>>Hi
>>TagUtils.filter(String value) only filters 4 html sensitive characters
>>while there are many more. Is there any special reason or it's a bug?
>>
>>Regards
>>Edgar
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: Escape html
Posted by Craig McClanahan <cr...@gmail.com>.
The purpose for filtering these four characters is to avoid cross site
scripting attacks that would otherwise be possible if an application
accepted an input text field that had something like a <script>
element in it, and then wrote that text to an HTML output stream with
no modifications.
Are there any other characters that should be filtered for security
reasons? If not, what's the use case for converting anything else to
its &xxx; equivalent? Which, among other things, can cause you some
grief if you're trying to do XML validation of the resulting output.
Craig
On Sun, 19 Dec 2004 18:51:32 -0300, Edgar Poce <ed...@gmail.com> wrote:
> Hi
> TagUtils.filter(String value) only filters 4 html sensitive characters
> while there are many more. Is there any special reason or it's a bug?
>
> Regards
> Edgar
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org