i have one more issue related to JSP EL and security problem how to test this issue (JSP Expressions are not allowed in the Struts 2 Tag Libs because of security concerns allowing hackers to use JSP EL to inject OGNL into the tags to do bad things) i have done lots of search not not able to create such test case. Please if you have any sample test or thought please suggest
As of Struts version 2.0.9 the JSTL/JSP expression language (EL) has been disabled for Struts tag attributes which evaluate OGNL. This is a precaution against security vulnerabilities that can result from the double-evaluation that occurs when an attribute is first processed as a JSTL/JSP EL expression and then the result is processed as an OGNL expression. The solution is to express all dynamic attribute values in Struts tags using OGNL expressions directly.
http://struts.apache.org/release/2.2.x/docs/why-cant-i-use-jstl-style-el-expressions-in-struts-tags.html
This type of injection doesn't work anymore. If you want to see how it used to work, then create a new copy of the .tld file for the Struts2 tags and enable EL evaluation for the attributes of various tags.
As indicated above, this was an exploit that took advantage of the fact that EL expressions are processed by the JSP/EL engine and OGNL expressions are evaluated after that inside the tag class.
For example, if the Struts2 tags allowed EL expressions, you could wind up with the following:
<s:text name="${someVar}"/>
Where someVar is a parameter set from the incoming request and it could evaluate to an arbitrary OGNL expression. Once the text tag is invoked, it evaluates the OGNL expression, which may have unintended consequences.
There is a more in-depth example located in the JIRA ticket for this issue:
https://issues.apache.org/jira/browse/WW-2107
Related
In JSF sources I found the logic of defining character encoding via facelets.Encoding attribute, which can be available in FacesContext.getAttributes()
See FaceletViewHandlingStrategy#getResponseEncoding method for details. How can I define this attribute for instance of FacesContext? I tried to define it via context-param in web.xml, but it's not working. And also I didn't find any reference about it in JSF documentation.
The main reason why I want do this, it is overriding of javax.faces.request.charset value. I don't want define a special filter for my application the order to define not UTF-8 encoding. Because my application contains a lot of WAR packages inside of big EAR.
I am learning to create custom JSF components and have been successful in creating simple ones. One thing I would like to know is that whether there are any naming conventions to be followed while defining <component-family> and <renderer-type> for your component?
For e.g. for combo box the <component-family> is javax.faces.SelectOne. It looks like a Java class but I was unable to find any such class in JSF API.
They do indeed not necessarily represent class names. They are just identifiers. The javax.faces prefix hints in this case merely that it's part of standard JSF API. The same prefix is used everywhere else in standard JSF API. PrimeFaces components use org.primefaces prefix, OmniFaces components use org.omnifaces prefix, etcetera.
You're fully free in choosing your own for your component library. You should only gurarantee that it shouldn't possibly conflict with a 3rd party one which may be mixed by the enduser. Like as with package structure of Java classes, it'd make sense if you choose for com.naveen prefix or whatever what/who represents the owner/developer of the component library.
The same approach as Java packages (and Internet domain names) is a very sensible way of guaranteeing uniqueness (you know, identifiers are supposed to be unique).
See also:
How do I determine the renderer of a built-in component
What is the relationship between component family, component type and renderer type?
Java packages com and org
Does anyone have a link to a concise summary of what makes a portlet "JSR-286 compliant" vs being only "JSR-168 compliant". I've got a copy of the spec and that's anything but concise so linking the spec is not a useful answer. I've searched the web for an hour now and I've found nothing that is clear (aside from the spec, which of course requires that you read the previous spec too, and then weed out the "new features" from the "required compliance".
Particularly I've found that there's quite a bit of confusion out there on the necessity of web.xml, which appears to come from people using Liferay and not realizing that Liferay is dropping in a web.xml for them.
Do JSR-286 portlets require a web.xml file in their WAR files?
What I'd really like is something that contains one or more of the following lists:
Things you have to do to a JSR-168 to make it become JSR-286 compliant
Things you must not do, that would cause an otherwise JSR-286 compliant portlet to be considered only JSR-168.
You can leave "use the portlet-app_2_0.xsd" off the list, as I consider that part obvious.
I'm open to the answer that both lists are empty aside from the DTD/xsd for portlet.xml, and the difference is only in what the portal supports, but please back that assertion up with a link or other reference.
The reason I care is I see posts about Vaadin portlets in Liferay that imply that some features are not available for JSR-168 portlets... It may also be that some logic in Liferay switches based on which version of portlet.xml it sees, but I haven't confirmed that either so that would be interesting information too, but not the answer to my question.
According to this doc, but it's also mentioned in jsr286:
The JSR 286 spec(Portlet 2.0) does not break binary compatibility with JSR168(Portlet 1.0). This means that all portlets written against the Portlet 1.0 specification can run unchanged. The only exceptions to this rule are:
renderResponse.setContentType is no longer required before calling getWriter or getOutputstream. In JSR168, calling getWriter or getOutputstream without previously setting the content type resulted in an IllegalStateException.
getProtocol for included servlets / JSPs returns ‘HTTP/1.1’, In JSR168, it returned null.
So as long as your jsr168 portlet doesn't depend on the value returned by getProtocol() you're safe (ie every jsr168 portlet is a jsr286 portlet).
The posts you see seem to be logical as jsr286 is a newer spec and there are some features that make jsr268 portlet not a jsr168 portlet.
Ok, Since I've not found anything new that distinguishes a 2.0 portlet from a 1.0 portlet (aside from using additional services and ) I'll begin the lists for my answer here.
Must Do:
Conform to the 2.0 XSD for portlet.xml (xmlns="http://java.sun.com/xml/ns/portlet/portlet-app_2_0.xsd")
Must Not Do:
Rely on getWriter throwing an exception if renderResponse.setContentType has not been called yet. (Seems unlikely anyway)
Rely on getProtocol() returning null
The upshot is, if you simply convert your portlet.xml, you are now "286 compliant" unless you relied on the two items in the second list for your program flow. I can't find anything else, but if someone finds another item for these lists, please edit.
The good people of OWASP emphasize that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into (body, attribute, JavaScript, CSS, or URL). See OWASP - XSS. Their API (developed by the ESAPI team) subsequently caters for this having encoders for each context:
ESAPI.encoder().encodeForHTML("input");
ESAPI.encoder().encodeForHTMLAttribute("input");
ESAPI.encoder().encodeForJavaScript("input");
ESAPI.encoder().encodeForCSS("input");
ESAPI.encoder().encodeForURL("input");
Subsequently this allows the developer to cater for DOM-based XSS .
So my question is how does GWT's safehtml package cater for this or does it merely focus on HTML encoding?
SafeHtmlTemplates will do it (client-side only though, as it relies on a GWT generator). It'll parse the HTML fragment using a "tag soup" parser, that will infer the context and either log a warning or throw if the argument cannot be used in this context (for instance, it prevents all use of placeholders in script context). This is still in flux though (SafeUri is still in review and SafeStyles is still severely limited) but it'll be there in due time (should be in GWT 2.4 I think).
Otherwise:
SafeHtmlUtils's will escape all of <, >, &, ' and " so the result is safe for "HTML" and "HTML attribute" contexts
SafeHtmlBuilder's various append methods will just call SafeHtmlUtils under the hood
UriUtils provides tools to scrub unsafe URIs (you'll still need a SafeHtmlUtils pass or equivalent afterwards if you're building an HTML string –vs. using the value directly for an image's source or anchor's href–).
SafeStyles doesn't provide anything specific in itself, but SafeHtmlTemplates will only allow it at the beginning of a CSS context, and will log a warning if you try to put anything else in a CSS context. SafeStylesBuilder is expected to be extended with type-safe methods, to help build well-formed CSS.
I've been working on a SafeUri interface, similar to SafeStyles but in a URL context. In due time, SafeHtmlTemplates will only allow a SafeUri or a String as the full value of a URL attribute, passing the String through UriUtils to make sure it's safe.
In brief, I think the answer to your question is: yes, GWT's safehtml package cater for this; but you'll probably have to always use the latest version of GWT (at least for the coming year) to be safe.
I'm working on preventing cross site scripting (XSS) in a Java, Spring based, Web application. I have already implemented a servlet filter similar to this example http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/ which sanitizes all the input into the application. As an extra security measure I would like to also sanitize all output of the application in all JSPs. I have done some research to see how this could be done and found two complementary options.
One of them is the use of Spring's defaultHtmlEscape attribute. This was very easy to implement (a few lines in web.xml), and it works great when your output is going through one of spring's tags (ie: message, or form tags). The other option I have found is to not directly use EL expressions such as ${...} and instead use <c:out value="${...}" />
That second approach works perfectly, however due to the size of the application I am working on (200+ JSP files). It is a very cumbersome task to have to replace all inappropriate uses of EL expressions with the c:out tag. Also it would become a cumbersome task in the future to make sure all developers stick to this convention of using the c:out tag (not to mention, how much more unreadable the code would be).
Is there alternative way to escape the output of EL expressions that would require fewer code modifications?
Since Servlet 2.5/JSP 2.1 you could create a custom ELResolver which does that. You can register it in ServletContextListener#contextInitialized().
#Override
public void contextInitialized(ServletContextEvent event) {
JspFactory.getDefaultFactory()
.getJspApplicationContext(event.getServletContext())
.addELResolver(new YourCustomELResolver());
}
In the ELResolver#getValue() you could do the escaping job.
Your only problem is that you will be unable to display HTML there where it's allowed (i.e. already sanitized from malicious tags/attributes by kind of a whitelist so that you end up with innocent tags like Jsoup can do).
That said, I disagree the necessity to escape XSS during input by the Filter as you mentioned in 1st paragraph of the question. You risk double-escaping. You only need to escape it at exactly that point where it can possibly harm, i.e. straight in the view side there where it's going to be inlined among HTML, the output. I recommend to get rid of that so-called XSS filter and concentrate you on fixing it in the view side by either using JSTL <c:out> or fn:escapeXml() (or a custom EL resolver, but that's definitely not the normal approach). The future code maintainers will be greatly thankful.
This blog post describes a custom ELResolver which escapes EL expression values of type String. Registering this custom ELResolver will cause it to escape the output of all EL expressions. In the exceptional cases where a JSP must programmatically output HTML, you require a mechanism that does not involve an EL expression, such as a custom tag or a scriptlet:
<%= "Java expression hopefully returning safe HTML" %>
I agree you shouldn't have to use c:out around every variable.
I wrote a blog describing why at http://tech.finn.no/2011/04/08/xss-protection-whos-responsibility/
It touches on much that is said here.