Building WebApps with JEE

Navigation

Quicksearch

Tagcloud

Wishlist

This is a random item from my wishlist:

'Round About Midnight.

The full list is on amazon.de

Twitter

    Upcoming Events

    PHP Unconference

    Hamburg

    25.09.2010, 09:00 Uhr

    Intl. PHP Conference

    Mainz

    11.10.2010, 09:00 Uhr

    hCalendar

    Archives

    Syndicate This Blog

    Saturday, April 19. 2008

    Building WebApps with JEE

    Java

    For a university project I have to develop a web based application using Java Enterprise Edition which will be based on Apache Tomcat. Afterdoing some initial setup on my development machine I did some simple tests to see whether everything works. So my first JSP file looked something like this:

    <html>
    <body>
    <%
    out.println(request.getParameter("foo"));
    %>
    </body>
    </html>

    Coming from web security I knew this being a XSS security problem since the user data is directly given to the output stream. Of course this is simple test code but as a self proclaqimed web security expert I havbe to think about such issues before even starting with implementation of the real app - even though the real app is just for university. So I browsed through the JEE documentation to find some method to encode HTML output so I asked a few friends with more Java experience and the only solution I found was using Apache Commons' org.apache.commons.lang.StringEscapeUtils which is no part of the JEE framework, a framework which was created with web apps in mind. How can that be? Are JSP based applications supposed to be unsafe? - And people say PHP was unsafe, which really was made for "solving the web problem" and offers all the things you need in it's core API.

    Posted by Johannes Schlüter in Java at 21:23 | Comment (1) | Trackback (1)
    Defined tags for this entry: , , , ,
    Related entries by tags:
    < It's again this time of the year ... | Java und die Ursprünge >

    Trackbacks
    Trackback specific URI for this entry

    Java, Hachja
    Der Herr chinstrap baut jetzt Java-Anwendungen. Irgendwie tut er mir ja leid. Wenn ich mich an die Diskussionen zu Java in den 90ern zurückerinnere, wurde die Sprache zur Programmierung von Wasch- und Kaffeemaschinen entwickelt. Ich bin dann sofort umg
    Weblog: looser blog
    Tracked: Apr 20, 01:00

    Comments
    Display comments as (Linear | Threaded)

    If you print values using the JSTL core lib, they are automatically escaped:

    http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/c/out.html

    Another option is to use the escapeXml function:

    http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/fn/escapeXml.fn.html

    Using Java in templates is considered bad practice anyway..
    #1 Anonymous on 1970-01-01 01:33 (Reply)
    Thanks, I hoped that ranting would help, and yes, code in templates is badm I know, but it's the best way to initially test stuff.
    #1.1 Johannes on 2008-04-30 19:23 (Reply)

    Add Comment

    Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
    Standard emoticons like :-) and ;-) are converted to images.
    E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

    To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
    CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5



    To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
    CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5
     
     
    Copyright ©1999-2010 Johannes Schlüter. All rights reserved.