struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: best approach to clean parameters using Jsoup
Date Thu, 20 Nov 2014 12:48:36 GMT
How did you register it?

2014-11-19 12:55 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
> Quick question here. I'm working on the approach to use a custom conversor.
> It works fine for standard parameters (Just a String), but I'm having
> issues when the getter receives a String[] parameters
>
>     private String parameter = null;
>     @TypeConversion(type = ConversionType.CLASS, converter =
> "com.xxx.yyy.util.conversion.struts2.JSoupConversor")
>     public void setParameter(String parameter) {
>         this.parameter = parameter;
>         LOG.debug("simple parameter "+parameter);
>     }
>
>     private String parameterArray[] = null;
>     @TypeConversion(rule=     ConversionRule.COLLECTION, type =
> ConversionType.CLASS, converter =
> "com.xxx.yyy.util.conversion.struts2.JSoupConversor")
>     public void setParameterArray(String parameterArray[]) {
>         this.parameterArray = parameterArray;
>         LOG.debug("parameterArray " +Arrays.toString(parameterArray));
>     }
>
> the JSoupConversor has a minimal implementation of the conversion:
>
>     public Object convertValue(Map context, Object o, Class toClass) {
>         LOG.debug("convertValue "+o);
>         return super.convertValue(context,o, toClass);
>     }
>
>     public Object convertFromString(Map context, String[] values, Class
> toClass) {
>         LOG.debug("convertFromString "+Arrays.toString(values));
>         return null;
>     }
>
>     public String convertToString(Map context, Object o) {
>         LOG.debug("convertToString " +o);
>         if (o != null)
>             return o.toString();
>         return null;
>     }
>     protected Object performFallbackConversion(Map context, Object o, Class
> toClass) {
>         LOG.debug("performFallbackConversion "+o);
>         return super.convertValue(context, o, toClass);
>     }
>
> The issue is that it the converter is not being called for the
> parameterArray, although the setter is being called. The logs are as
> follows:
>
> com.opensymphony.xwork2.interceptor.ParametersInterceptor  - Setting params
> parameter => [ value1 ] parameterArray => *[ value2, value3 ]*
> com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor
> - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] with
> key: [parameter]
> *com.opensymphony.xwork2.conversion.impl.DefaultConversionAnnotationProcessor
> - TypeConversion [com.xxx.yyy.util.conversion.struts2.JSoupConversor] with
> key: [parameterArray]*
> com.xxx.yyy.util.conversion.struts2.JSoupConversor  - convertValue
> [Ljava.lang.String;@1028f08
> com.xxx.yyy.util.conversion.struts2.JSoupConversor  - convertToString
> [Ljava.lang.String;@1028f08
> com.xxx.yyy.modules.test.controller.action.json.TestJSON  - simple
> parameter [Ljava.lang.String;@1028f08
> com.xxx.yyy.modules.test.controller.action.json.TestJSON  - *parameterArray
> [value2, value3]*
> com.opensymphony.xwork2.validator.ValidationInterceptor  - Invoking
> validate() on action
> com.spb.eco.modules.test.controller.action.json.TestJSON@1f4ca39
>
> So I see the converter being called for parameter, but not for
> parameterArray, but the parameterArray is actually being set. What am I
> missing?
>
> Thanks
>
>
> 2014-11-19 6:18 GMT-05:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
>
>> Thanks for the ideas. Overwriting retrieveParameters(ActionContext ac)
>> method seems a good solution, although that would imply doing it to all
>> parameters. While that could be ok, I would like to take a less aggressive
>> approach.One option I'm considering is to user a custom Converter that
>> could take care of this, so I could setup the converter only in those
>> parameters I know I need to filter. What do you think?
>>
>> 2014-11-19 4:57 GMT-05:00 Lukasz Lenart <lukaszlenart@apache.org>:
>>
>> 2014-11-19 4:57 GMT+01:00 JOSE L MARTINEZ-AVIAL <jlmagc@gmail.com>:
>>> > Hello,
>>> >   We are using Struts 2.3.16.3 for our application. Due to security
>>> > reasons, we need to "clean" the user's input in order to avoid XSS. We
>>> are
>>> > using JSoup for that, with success(
>>> > http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer).
>>> >
>>> >   The issues is that we haven't find a really good way to integrate it
>>> with
>>> > Struts. Basically we need to pass every String parameter through JSoup
>>> to
>>> > sanitize it, and right now we are doing it manully on the execute
>>> method of
>>> > the action, after the parameters have been loaded in the action and
>>> > validated. We would like to do it automatically when the parametes are
>>> set
>>> > in the action. In the normal actions we can do it in the getter, but
>>> some
>>> > actions have java beans for parameters, and we don't want to integrate
>>> the
>>> > Jsoup call in the bean methods. Any suggestions about how to do this?
>>>
>>> You can override ParametersInterceptor's
>>> retrieveParameters(ActionContext ac) method and then build your custom
>>> stack. Or you can develop custom interceptor and put it on the top of
>>> your stack and do ActionContext.get/setParameters() in intercept()
>>> method.
>>>
>>>
>>> Regards
>>> --
>>> Ɓukasz
>>> + 48 606 323 122 http://www.lenart.org.pl/
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message