You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Richard Sayre <ri...@gmail.com> on 2007/08/23 18:53:33 UTC
Sanitize Text
I was wondering what the best approach would be for taking form data
passed to an Action and removing 'special characters' from the data.
I am having issues with users pasting text from word docs etc. We
only support ISO-8859-1 as of now and there are some characters that
Word will replace such as ' and " with character that are outside the
8839-1 character set.
I was thinking about an interceptor that would sanitize the request
parameters before they are passed to the action. Is this a good
approach? Can anyone suggest a better one? It does not matter if it
uses Struts or not.
Thank you
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Sanitize Text
Posted by "Frank W. Zammetti" <fz...@omnytex.com>.
I'd be more inclined towards a filter here, preferably close to the top
of the chain... my thought is it's better to deal with things like that
as soon as possible because there's less chance of something exploitable
down the pipe. We have a cross-site scripting filter in our standard
security stack at work for precisely that reason. I realize your not
stating security as your concern, but I think the argument would be very
much the same... might not be an exploit your too worried about, but an
exception thrown that breaks the app for the user isn't much better :)
Frank
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM/Yahoo: fzammetti
MSN: fzammetti@hotmail.com
Author of "Practical Ajax Projects With Java Technology"
(2006, Apress, ISBN 1-59059-695-1)
and "JavaScript, DOM Scripting and Ajax Projects"
(2007, Apress, ISBN 1-59059-816-4)
Java Web Parts - http://javawebparts.sourceforge.net
Supplying the wheel, so you don't have to reinvent it!
Toni Lyytikäinen wrote:
> You could just override the string conversion in xwork:
>
> http://struts.apache.org/2.x/docs/type-conversion.html
>
> define something like this in xwork-conversion.properties
>
> java.lang.String=org.example.MyConverter
>
> Then create a class MyConverter that extends the XWorkBasicConverter and
> override the behaviour of the convertValue method in the case of string to
> string conversion.
>
> I'm not sure if this is actually a good way, but it's easy enough and with
> simple configuration it works everywhere in you webapp.
>
> On 8/23/07, Ian Roughley <ia...@fdar.com> wrote:
>> This is a good approach. In fact, you might start with the params
>> interceptor - as it is responsible for assigning data to the action, and
>> all that is needed is to sanitize before assignment.
>>
>> /Ian
>>
>> Richard Sayre wrote:
>>> I was wondering what the best approach would be for taking form data
>>> passed to an Action and removing 'special characters' from the data.
>>> I am having issues with users pasting text from word docs etc. We
>>> only support ISO-8859-1 as of now and there are some characters that
>>> Word will replace such as ' and " with character that are outside the
>>> 8839-1 character set.
>>>
>>> I was thinking about an interceptor that would sanitize the request
>>> parameters before they are passed to the action. Is this a good
>>> approach? Can anyone suggest a better one? It does not matter if it
>>> uses Struts or not.
>>>
>>> Thank you
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.484 / Virus Database: 269.12.2/967 - Release Date: 8/22/2007 6:51 PM
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Sanitize Text
Posted by Toni Lyytikäinen <to...@gmail.com>.
You could just override the string conversion in xwork:
http://struts.apache.org/2.x/docs/type-conversion.html
define something like this in xwork-conversion.properties
java.lang.String=org.example.MyConverter
Then create a class MyConverter that extends the XWorkBasicConverter and
override the behaviour of the convertValue method in the case of string to
string conversion.
I'm not sure if this is actually a good way, but it's easy enough and with
simple configuration it works everywhere in you webapp.
On 8/23/07, Ian Roughley <ia...@fdar.com> wrote:
>
> This is a good approach. In fact, you might start with the params
> interceptor - as it is responsible for assigning data to the action, and
> all that is needed is to sanitize before assignment.
>
> /Ian
>
> Richard Sayre wrote:
> > I was wondering what the best approach would be for taking form data
> > passed to an Action and removing 'special characters' from the data.
> > I am having issues with users pasting text from word docs etc. We
> > only support ISO-8859-1 as of now and there are some characters that
> > Word will replace such as ' and " with character that are outside the
> > 8839-1 character set.
> >
> > I was thinking about an interceptor that would sanitize the request
> > parameters before they are passed to the action. Is this a good
> > approach? Can anyone suggest a better one? It does not matter if it
> > uses Struts or not.
> >
> > Thank you
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Sanitize Text
Posted by Ian Roughley <ia...@fdar.com>.
This is a good approach. In fact, you might start with the params
interceptor - as it is responsible for assigning data to the action, and
all that is needed is to sanitize before assignment.
/Ian
Richard Sayre wrote:
> I was wondering what the best approach would be for taking form data
> passed to an Action and removing 'special characters' from the data.
> I am having issues with users pasting text from word docs etc. We
> only support ISO-8859-1 as of now and there are some characters that
> Word will replace such as ' and " with character that are outside the
> 8839-1 character set.
>
> I was thinking about an interceptor that would sanitize the request
> parameters before they are passed to the action. Is this a good
> approach? Can anyone suggest a better one? It does not matter if it
> uses Struts or not.
>
> Thank you
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org