encodeForHTMLAttribute or encodeForJavascript -XSS - jsp

I have the following code snippet and I am encoding it to prevent from XSS .
<% if (answerList.size() > 2){
out.write("<td width='30%' class='label' nowrap='nowrap'><label> "+ address value +"</label></td>");
}%>
Here I have to encode the address value . if Anything comes inside scriptlet tag is JAVA CODE then I should consider using encodeForJavascript() or since it's just rendering html I should consider using encodeForHTMLAttribute(). It may sound silly the way I put but really I need someone to guide . I couldn't find enough resource for proper understanding on this . Thanks in advance
Update: now I have seen something new and I would like to update my question further.
<td>
<%
out.Write(request.getParameter("address");
%>
</td>
In the above code it's a scriptlet again but the html tags are placed outside . Which one should I consider

encodeForJavascript is only suitable for some JavaScript code, but not Java.
You should encode based on the rendered output, which is HTML.encodeForHTMLAttribute will do for attributes. Here you have a value between tags instead of an attribute, so you can use encodeForHTML.
If you then try rendering a value with quotes for example, then you should see the output with entity encoding, and rendered correctly in the browser.

Related

JSTL escaping special characters

I have this weird issue with special characters.
In JSP, I am using field name as id and the name can be anything like
id="&lt;1 and &>2" (OR)
id="aaa & bbb"
I don't have any other option to use ID's other than names, that what the only thing I get from backend.
So, Is there any logic to remove all the special characters using JSTL.
With the present scenario, In JS I will do some operations with the ID. this is causing many issues for each kind of browser.
Please suggest, Thanks in advance...
The JSTL provides two means of escaping HTML special chars :
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
...
<c:out value="${myName}"/>
and
${fn:escapeXml(myName)}
Both wil transform the special chars into their respective HTML entities : (< becomes <, & become &...).
Note that the IDs must be encoded in HTML, but not in JavaScript.
I think your question was misunderstood.
I arrived at the same point as you, and got the problem solved with excapeXml="false".
<c:out value="${id}" escapeXml="false"/>
I had data in database like:
<Hello World>
and escapeXml="false" made it display
<Hello World>
I think this is what you are lokking for
Use Spring's HtmlUtils.htmlEscape(String input).
I just faced a scenario where I had to escape ' i.e. Single Quote apart from other special characters. In that case fn:escapeXml failed. So I used JavaScriptUtils.javaScriptEscape() of Spring API, created a tag and applied. Now the issue is resolved. I also referred the URL : http://www.coderanch.com/t/528521/JSP/java/Passing-JSTL-variable-special-characters.

JSP: Problems Interpreting a Variable

This is my first post and I'm having problems with a servlet to interpret a variable I created to sequentially name two TAGs on a page running with Liferay.
Apparently the JSP interprets correctly for some TAGs and some does not. This is strange to me.
The following is an example of the code:
I created the "sequencia" variable to create an order
<div id="buttons<%=sequencia%>">
<aui:a href="javascript:printdiv('content<%=sequencia%>');" cssClass="bt_esquerda<%=sequencia%>">Imprimir<%=sequencia%></aui:a>
The result that returns in the code is this
<div id="buttons1">
<a href="javascript:printdiv('content<%=sequencia%>');"
class="bt_esquerda<%=sequencia%>">Imprimir1
Does anyone have any idea WHY it can not resolve within the single and double quotation marks of the <a> tag, but can <div>?
Even if you do not know, do you have any alternative ideas?
Thank you.
The reason of issue is aui:a represents custom aui anchor tag; which has its implementation whereas div is generic html tag.
You may use any of below alternative
<aui:a href="javascript:;" onClick='<%="javascript:printdiv(\'content+<%=sequencia%>+\');" cssClass="bt_esquerda<%=sequencia%>">Imprimir<%=sequencia%></aui:a>
<aui:a href='<%="javascript:printdiv(\'content+<%=sequencia%>+\');" cssClass="bt_esquerda<%=sequencia%>">Imprimir<%=sequencia%></aui:a>
I resolved my problem creating a string before the TAG and using it instead that way.
String link = "javascript:printdiv(\'content" + sequencia + "\');";
<aui:a href="<%=link%>" ...
Thanks for your help, Pankajkumar.

How to unescape HTML in Struts2

I have saved some basic HTML in a database. This HTML is via ValueStack in Action class redisplayed as <s:property value="htmlcodeString"/> in JSP file.
However, the HTML code is not interpreted, but escaped and displayed as is (eg. <b>BOLD</b> is shown instead of BOLD).
I am using Struts2. I found many recommendations on internet to use <c:out value="${text}" escapeXml="false" />. But I don't know what it is. How can I make use of it in Struts2?
The <s:property> tag has an escapeHtml attribute which is true by default.
(Hopefully for obvious reasons.)
<c:out> is part of the JSTL, and you use it in S2 like in any other web app, with the caveat that it's because of an S2 request wrapper you can use JSP EL to access the value stack.
I came across the question through Google and found adding the escapeHtml="false" attribute caused the JSP to stop displaying. What worked instead was simply escape="false.

How to pass a string containing double quotes from a jsp to a servlet through URL using get method

I want to set a jsp parameter to an attribute value which may contain special symbols, then use a form GET submit to pass the parameter to a servlet controller. For example, the parameter is:
<input type="hidden" name="searchTerms" value="${sessionScope.combTerms}"></input>
I noticed if sessionScope.combTerms contains double quotes, eg. location:"LOC1", the controller will only receive the value of searchTerms to be location: in which the LOC1" disappeared. What should I do to make sure whatever string in sessionScope.combTerms is passed to the controller correctly? Thanks in advance.
When filling HTML input values, always use fn:escapeXml(). It not only sanitizes the value from HTML entities which might risk your HTML to malform (a quote denotes end of attribute value, that's why the remnant of your value got lost), but it will also save you from XSS injection attack risks at places where you're redisplaying user-controlled input.
<%# taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<input type="hidden" name="searchTerms" value="${fn:escapeXml(sessionScope.combTerms)}">
No need to URLEncode it. The webbrowser will already do it automagically. Try it yourself with an & in the value. You'll see that the webbrowser changes it %26. The webbrowser will also take care about parsing XML entities so that they end up correctly in the URL. I.e. you get " in server side, not ".
You encode the value before placing it into the form and then decode it in the serlvet.
(You might have already seen this as %20 in URL parameters)
Here are the respective classes.
http://download-llnw.oracle.com/javase/1.5.0/docs/api/java/net/URLEncoder.html
http://download-llnw.oracle.com/javase/1.5.0/docs/api/java/net/URLDecoder.html
<% String st = str.replaceAll("\"", """);%> ,and use st instead of str.

Displaying time in JSP page

This was my line in demo.jsp
demo
Hello there!!! The time is <%= new java.util.Date()%>
which when i opened in firefox doesn't show the time. instead displays the same line: "The time is <%= new java.util.Date()%>"
Your code is completely correct, this will display you the current time, formatted by the current locale settings.
As others noted incorrectly, the position of where you put this in the page (i.e. surrounded by other HTML tags) is not the problem here.
However, it seems you are accessing your page either directly from the file location (file://yourPath/demo.jsp), or via a standard webserver (e.g. Apache), but not from a Servlet container (e.g. Tomcat, Jetty, ..), which would actually pre-process the <% -- %> JSP System tag.
Look for an example for how to configure Tomcat or Jetty for your operating system, and where to put the JSP pages, or for a tutorial on how to use it from within Eclipse or IDEA.
It looks like you're putting <%= new java.util.Date()%> in the wrong place, and it is being treated as text rather than code, it should look something like this:
<td width="100%"><b> Current Date
and time is: <font color="#FF0000">
<%= new java.util.Date() %>
</font></b></td>
If you post a code sample, it'll help a lot.
Some examples here too: http://www.roseindia.net/jsp/jsp_date_example.shtml
Dave
If you go to this link, it has examples, with source, that show you how to do it properly. See the "Date" example under JSP 1.2 examples.
Another recommendation: Learn JSTL and use its format tags to format time and date properly. Don't use scriptlets.

Resources