You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Scott Van Wart <sc...@indosoft.com> on 2006/08/17 23:14:27 UTC
Ready-made function somewhere to escape HTML?
Hello,
I have user-entered input managed by a few custom tags (Java classes,
not tag files), and I need to encode this stuff to escape any special
HTML characters the user might type. Is there a special one in Struts I
can/should use, or should I write my own? (Struts 1.2.9, Tomcat 5.5.17)
- Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Ready-made function somewhere to escape HTML?
Posted by Gareth Evans <ga...@msoft.co.uk>.
You could also use the org.apache.commons.lang.StringEscapeUtils
It has many useful methods such as escapeHtml, escapeJava, escapeJavascript, escapeXml, escapeSql and more.
I'm currently using commons-lang-2.1.jar
Gareth
Laurie Harper wrote:
> Scott Van Wart wrote:
>> Frank W. Zammetti wrote:
>>> Hi Scott... have a look at the ResponseHelpers class in Java Web Parts:
>>>
>>> http://javawebparts.sourceforge.net
>>>
>>> More precisely:
>>>
>>> http://javawebparts.sourceforge.net/javadocs/index.html
>>>
>>> The encodeEntities() method should do the trick.
>>
>> Ahh... that class name you mentioned made me think of a class I saw
>> while stepping through some code... I think
>> org.apache.struts.util.ResponseUtils#filter will do the trick :).
>
> If you want to escape the user-entered data at render time (i.e. when
> you display it), that's already supported by various output-related tags
> (c:out, bean:write, etc.) Escaping at render time is the usual approach,
> since it protects you against malicious inputs from other sources (e.g.
> SQL injection, bad database imports, etc.) I'm not aware of any
> 'standard' facilities for doing this to the user's input at submit-time,
> though; if you want to do that, the ResponseUtils.filter() method is
> probably your best bet.
>
> L.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
Gareth Evans
Senior Developer
MSoft eSolutions Limited
Technology Centre
Inward Way
Rossmore Business Park
Ellesmere Port
Cheshire
CH65 3EN
--
Tel: +44 (0)870 0100 704
Fax: +44 (0)870 9010 705
E-Mail: gareth@msoft.co.uk
Web: www.msoft.co.uk
----------------------------------------------
Terms:
Please note that any prices quoted within this e-mail are subject to VAT.
All program details and code described in this e-mail are subject to
copyright © of MSoft eSolutions Limited and remain the intellectual
property of MSoft eSolutions Limited.
Any proposal or pricing information contained within this e-mail are
subject to MSoft eSolutions' Terms and Conditions
----------------------------------------------
Disclaimer:
This message is intended only for use of the addressee. If this message
was sent to you in error, please notify the sender and delete this
message. MSoft eSolutions Limited cannot accept responsibility for viruses,
so please scan attachments. Views expressed in this message do not
necessarily reflect those of MSoft eSolutions Limited who will not
necessarily be bound by its contents.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Ready-made function somewhere to escape HTML?
Posted by Laurie Harper <la...@holoweb.net>.
Scott Van Wart wrote:
> Frank W. Zammetti wrote:
>> Hi Scott... have a look at the ResponseHelpers class in Java Web Parts:
>>
>> http://javawebparts.sourceforge.net
>>
>> More precisely:
>>
>> http://javawebparts.sourceforge.net/javadocs/index.html
>>
>> The encodeEntities() method should do the trick.
>
> Ahh... that class name you mentioned made me think of a class I saw
> while stepping through some code... I think
> org.apache.struts.util.ResponseUtils#filter will do the trick :).
If you want to escape the user-entered data at render time (i.e. when
you display it), that's already supported by various output-related tags
(c:out, bean:write, etc.) Escaping at render time is the usual approach,
since it protects you against malicious inputs from other sources (e.g.
SQL injection, bad database imports, etc.) I'm not aware of any
'standard' facilities for doing this to the user's input at submit-time,
though; if you want to do that, the ResponseUtils.filter() method is
probably your best bet.
L.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Ready-made function somewhere to escape HTML?
Posted by Scott Van Wart <sc...@indosoft.com>.
Frank W. Zammetti wrote:
> Hi Scott... have a look at the ResponseHelpers class in Java Web Parts:
>
> http://javawebparts.sourceforge.net
>
> More precisely:
>
> http://javawebparts.sourceforge.net/javadocs/index.html
>
> The encodeEntities() method should do the trick.
Ahh... that class name you mentioned made me think of a class I saw
while stepping through some code... I think
org.apache.struts.util.ResponseUtils#filter will do the trick :).
Thanks,
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Ready-made function somewhere to escape HTML?
Posted by "Frank W. Zammetti" <fz...@omnytex.com>.
Hi Scott... have a look at the ResponseHelpers class in Java Web Parts:
http://javawebparts.sourceforge.net
More precisely:
http://javawebparts.sourceforge.net/javadocs/index.html
The encodeEntities() method should do the trick.
Frank
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM/Yahoo: fzammetti
MSN: fzammetti@hotmail.com
Author of "Practical Ajax Projects With Java Technology"
(2006, Apress, ISBN 1-59059-695-1)
Java Web Parts - http://javawebparts.sourceforge.net
Supplying the wheel, so you don't have to reinvent it!
On Thu, August 17, 2006 5:14 pm, Scott Van Wart wrote:
> Hello,
>
> I have user-entered input managed by a few custom tags (Java classes,
> not tag files), and I need to encode this stuff to escape any special
> HTML characters the user might type. Is there a special one in Struts I
> can/should use, or should I write my own? (Struts 1.2.9, Tomcat 5.5.17)
>
> - Scott
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org