[Java-project] Request for Input: preventing XSS with J2EE

Eelco Klaver eklaver at econsulting.nl
Wed Sep 19 03:34:47 EDT 2007


All,

In addition to my previous response below, I was wondering whether anyone
has experience with the HDIV project that tries to solve web application
security vulnerabilities in a generic way for the major web frameworks:

http://www.theserverside.com/news/thread.tss?thread_id=46924
http://www.hdiv.org/

Regards,

Eelco Klaver

2007/9/18, Eelco Klaver <eklaver at econsulting.nl>:
>
> Erwin,
>
> The protection against XSS is two-folded: input validation and output
> escaping. For the different Java frameworks I know, the following protection
> is provided:
>
> Struts:
> =====
> *Input validation*: Struts Validator
> *Output escaping*: <bean:write/> automatically escapes all output. Avoid
> using attribute filter=false
>
> JSF:
> ===
> *Input validation*: Validation is step 3 in the application lifecycle. In
> the API only three standard validators have been defined, but implementation
> can provide their own validators, such as MyFaces RegExprValidator.
> Furthermore Apache Commons Validator can be integrated with JSF validation.
> *Ouput escaping*: <h:outputText/> automatically escapes all output. Avoid
> using attribute escape=false
>
> Spring MVC:
> =========
> *Input validation*: Controllers can have Spring Validators. Integrates
> with Commons Validator.
> *Ouput escaping*: JSTL tag <c:out/> automatically escapes all output.
> Avoid using attribute escapeXml=false
>
> Tapestry:
> =======
> *Input validation*: Components inside a page can be assigned one or more
> Tapestry validators. Standard validators include required, min-length,
> max-length, pattern etc. Tapestry also depends on Commons Validator.
> *Output escaping*: By default Tapestry escapes all HTML output. Avoid
> using <t:outputraw/>
>
> Hope this helps.
>
> Regards,
>
> Eelco Klaver
>
>
> 2007/9/17, Erwin Geirnaert <erwin.geirnaert at zionsecurity.com>:
> >
> >   Dear list,
> >
> >
> >
> > I want some input for the Spring of Code Java project that I'm working
> > on.
> >
> >
> >
> > I would like to know all possible Java frameworks out there and their
> > validation/protection mechanisms against cross-site-scripting.
> >
> >
> >
> > Like Struts – Validator (which is a normal validator but can be extended
> > with positive security) but for other frameworks it is very hard to find
> > information.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Erwin
> >  ------------------------------
> >  *Note:*
> > This message is for the named person's use only.  It may contain
> > confidential, proprietary or legally privileged information.  No
> > confidentiality or privilege is waived or lost by any mistransmission.  If
> > you receive this message in error, please immediately delete it and all
> > copies of it from your system, destroy any hard copies of it and notify the
> > sender.  You must not, directly or indirectly, use, disclose, distribute,
> > print, or copy any part of this message if you are not the intended
> > recipient. *ZION SECURITY *and any of its subsidiaries each reserve the
> > right to monitor all e-mail communications through its networks.
> > Any views expressed in this message are those of the individual sender,
> > except where the message states otherwise and the sender is authorized to
> > state them to be the views of any such entity.
> >
> > *Thank You.*
> >
> > ------------------------------
> >
> > Scanned by *MailMarshal* - Marshal's comprehensive email content
> > security solution. Download a free evaluation of MailMarshal at
> > www.marshal.com<http://192.168.123.154/exchweb/bin/redir.asp?URL=http://www.marshal.com>.
> > Implemented and supported by *ZION SECURITY. *
> >  ------------------------------
> >
> > _______________________________________________
> > Java-project mailing list
> > Java-project at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/java-project
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/java-project/attachments/20070919/39f4eb94/attachment.html 


More information about the Java-project mailing list