Building WebApps with JEE
For a university project I have to develop a web based application using Java Enterprise Edition which will be based on Apache Tomcat. Afterdoing some initial setup on my development machine I did some simple tests to see whether everything works. So my first JSP file looked something like this:
<html>
<body>
<%
out.println(request.getParameter("foo"));
%>
</body>
</html>Coming from web security I knew this being a XSS security problem since the user data is directly given to the output stream. Of course this is simple test code but as a self proclaqimed web security expert I havbe to think about such issues before even starting with implementation of the real app - even though the real app is just for university. So I browsed through the JEE documentation to find some method to encode HTML output so I asked a few friends with more Java experience and the only solution I found was using Apache Commons' org.apache.commons.lang.StringEscapeUtils which is no part of the JEE framework, a framework which was created with web apps in mind. How can that be? Are JSP based applications supposed to be unsafe? - And people say PHP was unsafe, which really was made for "solving the web problem" and offers all the things you need in it's core API.
Der Herr chinstrap baut jetzt Java-Anwendungen. Irgendwie tut er mir ja leid. Wenn ich mich an die Diskussionen zu Java in den 90ern zurückerinnere, wurde die Sprache zur Programmierung von Wasch- und Kaffeemaschinen entwickelt. Ich bin dann sofort umg
Tracked: Apr 20, 01:00
Thursday, January 1. 1970 at 01:33 (Reply)
http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/c/out.html
Another option is to use the escapeXml function:
http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/fn/escapeXml.fn.html
Using Java in templates is considered bad practice anyway..
Wednesday, April 30. 2008 at 19:23 (Reply)