struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig McClanahan <craig...@gmail.com>
Subject Re: ActionForm problem
Date Thu, 17 Mar 2005 21:22:41 GMT
On Thu, 17 Mar 2005 16:18:25 -0500, Rick Reumann <struttin@reumann.net> wrote:
> Dakota Jack wrote the following on 3/17/2005 4:08 PM:
> > I think that Craig had mentioned that there were some security issues
> > or something, however, with not using the <c: blah blah.  I did not
> > bother checking it out because I still use the <c: blah blah.
> 
> wow, really? I'd like to know what they are. I love how much cleaner my
> code is without having to use c:out everywhere.

Expression evaluation doesn't filter out characters that are sensitive
in HTML (like '<').  Consider a common case where you accept input
from a user into a text field, store it in your database, and then
display it (on a different page) with something like this:

    <td>${customer.name}</td>

Now, consider what happens if you have a malicious user who types
something like this into the name field:

    <script language="JavaScript">...</script>

The unsuspecting user who displays this page will be executing
whatever JavaScript code replaces "...".  That doesn't happen if you
use <c:out> (or <bean:write> in Struts) because, by default, the "<"
character gets emitted as "&lt;" instead.

Craig

> 
> --
> Rick
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message