When using Cross Site Scripting - XSS in a J2EE struts 2.0.9 application . When I put <Script> tag in the URL it is executing the JavaScript which is a security threat. Is there any solution to overcome this problem apart from moviing to higher version of Struts.
views:
77answers:
2
A:
Make constant string array, and check this array for the right variable name when u request/call URL.
Example :
http://localhost:8080/updaterecord.do?**name**="david"
http://localhost:8080/updaterecord.do?**ssn**="10-787-78787-77"
The name and ssn push to string array, and validate URL parameter against this array.
Thomman
2009-12-03 07:23:41
A:
Just escape user-controlled input in the front end.
In JSP/JSTL you should use c:out
<c:out value="${input}" />
for user-controlled input instead of plain EL
${input}
The Struts equivalent of c:out is html:text
<html:text value="${input}" />
In Java source code you don't need to worry about this. It doesn't interpret JS in Strings (unless you're using Rhino or so for that of course ;) ).
BalusC
2009-12-03 16:55:13