struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>
Subject Re: best approach to clean parameters using Jsoup
Date Wed, 19 Nov 2014 11:18:44 GMT
Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac)
method seems a good solution, although that would imply doing it to all
parameters. While that could be ok, I would like to take a less aggressive
approach.One option I'm considering is to user a custom Converter that
could take care of this, so I could setup the converter only in those
parameters I know I need to filter. What do you think?

2014-11-19 4:57 GMT-05:00 Lukasz Lenart <lukaszlenart@apache.org>:

> 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
> > Hello,
> >   We are using Struts 2.3.16.3 for our application. Due to security
> > reasons, we need to "clean" the user's input in order to avoid XSS. We
> are
> > using JSoup for that, with success(
> > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer).
> >
> >   The issues is that we haven't find a really good way to integrate it
> with
> > Struts. Basically we need to pass every String parameter through JSoup to
> > sanitize it, and right now we are doing it manully on the execute method
> of
> > the action, after the parameters have been loaded in the action and
> > validated. We would like to do it automatically when the parametes are
> set
> > in the action. In the normal actions we can do it in the getter, but some
> > actions have java beans for parameters, and we don't want to integrate
> the
> > Jsoup call in the bean methods. Any suggestions about how to do this?
>
> You can override ParametersInterceptor's
> retrieveParameters(ActionContext ac) method and then build your custom
> stack. Or you can develop custom interceptor and put it on the top of
> your stack and do ActionContext.get/setParameters() in intercept()
> method.
>
>
> Regards
> --
> Ɓukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message