Skip to: categories | main content

Building WebApps with JEE

Java

For a university project I have to develop a web based application using Java Enterprise Edition which will be based on Apache Tomcat. Afterdoing some initial setup on my development machine I did some simple tests to see whether everything works. So my first JSP file looked something like this:

<html>
<body>
<%
out.println(request.getParameter("foo"));
%>
</body>
</html>

Coming from web security I knew this being a XSS security problem since the user data is directly given to the output stream. Of course this is simple test code but as a self proclaqimed web security expert I havbe to think about such issues before even starting with implementation of the real app - even though the real app is just for university. So I browsed through the JEE documentation to find some method to encode HTML output so I asked a few friends with more Java experience and the only solution I found was using Apache Commons' org.apache.commons.lang.StringEscapeUtils which is no part of the JEE framework, a framework which was created with web apps in mind. How can that be? Are JSP based applications supposed to be unsafe? - And people say PHP was unsafe, which really was made for "solving the web problem" and offers all the things you need in it's core API.

Posted by Johannes Schlüter in Java Comment: (1) Trackback: (1)
Defined tags for this entry: , , , ,
Related entries by tags:
< It's again this time of the year ... | Java und die Ursprünge >

Trackbacks
Trackback specific URI for this entry

Java, Hachja
Der Herr chinstrap baut jetzt Java-Anwendungen. Irgendwie tut er mir ja leid. Wenn ich mich an die Diskussionen zu Java in den 90ern zurückerinnere, wurde die Sprache zur Programmierung von Wasch- und Kaffeemaschinen entwickelt. Ich bin dann sofort umg
Weblog: looser blog
Tracked: Apr 20, 01:00

Comments
Display comments as (Linear | Threaded)

Anonymous said,

Thursday, January 1. 1970 at 01:33

If you print values using the JSTL core lib, they are automatically escaped:

http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/c/out.html

Another option is to use the escapeXml function:

http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/fn/escapeXml.fn.html

Using Java in templates is considered bad practice anyway..
Johannes said,

Wednesday, April 30. 2008 at 19:23

Thanks, I hoped that ranting would help, and yes, code in templates is badm I know, but it's the best way to initially test stuff.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.



To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.