What is the simplest way to replace quote characters with \" sequence inside string values?
That'll be the fn:replace() function.
<%#taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
...
${fn:replace(foo, '"', '\\"')}
Unrelated to the concrete question, this is an often recurring requirement in order to prevent malformed HTML when redisplaying user controlled input as a HTML attribute. Normally, you should use <c:out> or fn:escapeXml() for this instead. E.g.
<input name="foo" value="<c:out value="${param.foo}" />" />
<input name="foo" value="${fn:escapeXml(param.foo)}" />
It not only takes quotes into account, but also all other XML special characters like <, >, &, etc.
See also:
XSS prevention in JSP/Servlet web application
Use javascript replace (with /g to replace all occurrences)
string.replace(/"/g, '\\"')
Related
Using Twig in Symfony 5, it appear that declarations in template like this :
<input type='text' value='hello' />
are automatically replaced by
<input type="text" value="hello" />
I'm using a JS library (Yaireo Tagify) which can automatically populate an input with json object (so with quotes), that implies using single quote in the input attribute. See discussion here : https://github.com/yairEO/tagify/issues/597
Could you help me ?
Thanks !
DevTools give an incorrect view of output source...
Twig won't change single quotes to double quotes
I have various things that need to end up in a CGI form, thus:
<INPUT TYPE="TEXT" SIZE=64 MAXLENGTH=64 NAME="name" VALUE="thing">
...my understanding (limited, but I'm learning) is that CGI inputs require double quotes as delimiters.
However, some of the things I need to put in there have double quotes. Some have single. Some have none. Some could easily have both. Basically, anything at all might end up in that field (because this is in a field generator, and the idea is to generate the content for those fields from whatever one might desire.)
Conceptually, I imagine:
<INPUT TYPE="TEXT" SIZE=64 MAXLENGTH=64 NAME="name" VALUE="a \"Quoted\" thing with backslash thusly: \\">
...but have no idea if that's right, or what.
Use HTML entities. " == " and so on.
so...
<INPUT TYPE="TEXT" SIZE=64 MAXLENGTH=64 NAME="name" VALUE="a "Quoted" thing with backslash thusly: \">
...does the trick.
I have a web page that queries database dynamically to display data on the page, similar to database tool like Toad etc. (not even close of course :), example for illustration only).
The problem is data gets trimmed when displayed on the page. This is how I display data using JSF
<h:outputText value="#{record[columnIndex].toDisplayString()}" />
I believe it is about html rendering. What should I do? Write an html encoder? How? Help would be highly appreciated.
The <h:outputText> doesn't trim the value at all.
Perhaps you're talking about whitespace like leading/trailing spaces, tabs, newlines, carriage returns, etc in the value, which have by default totally no meaning in HTML markup. It just becomes part of the HTML source code, but not the HTML presentation. Newlines, for example, are in HTML to be represented by the <br> element, not by the \n character.
If you'd like to preserve the whitespace in a HTML element node as it is in the HTML source code, then you need to set the parent HTML element's CSS white-space property to pre in order to preserve it. If you'd like to wrap lines in block elements, then use pre-wrap.
E.g.
<h:outputText ... styleClass="preformatted" />
with
.preformatted {
white-space: pre-wrap;
}
An alternative is to convert the text to valid HTML markup yourself. E.g. replacing every occurrence of \n character by the <br/> string. You could use an EL function for this.
See also:
Component to inject and interpret String with HTML code into JSF page
i create a web form with JSP, and for preventing attacks I do the following:
input.replace("<", "something else");
input.replace(">", "something else");
so a user cannot add HTML or other tags inside a form.
Is this enough to prevent attacks of this kind(Insertions of HTML or other tags inside
my website)??
Thanks you
JH. G.
In short, no. I recommend that you should checkout the ESAPI project for this. They have built in tools to HTML encode requests and responses as to prevent XSS attacks.
This is not entirely the right way. It's not only incomplete as ', " and & also needs to be escaped, but you should actually be using JSTL <c:out> or fn:escapeXml() to escape HTML/XML entities in the view side.
E.g.
<c:out value="${bean.value}" />
<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />
See also:
XSS prevention in JSP/Servlet web application
In my ASP.NET 1.1 application, I am compressing and replacing the hidden Viewstate variable with an alternate compressed value, stored in a hidden field called __VSTATE. This works well but on a few occasions, submitting a page causes the common "potentially dangerous Request.Form value ..." error.
I examined the __VSTATE value and nothing seems to be potentially dangerous. I was able to reproduce the error with a completely stripped down version of the page and __VSTATE value as shown below. Pressing the submit button causes the error. The page works fine if I change the value to "".
<%# Page Language="vb" AutoEventWireup="false" Codebehind="Dangerous.aspx.vb" Inherits="Dynalabs.Dangerous" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body MS_POSITIONING="FlowLayout">
<form id="Form1" method="post" runat="server">
<input type="hidden" id="__VSTATE" runat="server" value="Onw=" />
<asp:Button ID="btnSubmit" Runat="server" Text="Submit" />
</form>
</body>
</html>
Changing the field name to "MyHiddenWT" made no difference. Removing the runat="server" did stop the error but that just means that .NET only examines server side controls. I also tried some additional values and found that of the following:
"Anw=", "Bnw=", "Cnw=", ... "Nnw=", "Onw=", "Pnw=", ... "Znw=",
"Onw=" is the only one that causes the problem. Is the captial O being seen as an octal value somehow?
Can someone explain why this value is triggering the error message? I'm also looking for a solution but, please, do not tell me to remove page validation. That's the same as saying a car with bad brakes can be fixed by not driving the car.
Thank you in advance.
My first guess is that it looks like a "OnSomething=" javascript event declaration.
It's a little weird that only the capital O triggers the error, did you test on the lowercase o as well?
Can you try these: "OnClick=", "abc OnClick=", "onclick=", "abc onclick=", "anw=", "bnw=", ...
If "OnSomething=x" javascript is a problem, then simply adding another character to your values should do the trick. Maybe a simple 'v' should do.
<input type="hidden" id="__VSTATE" runat="server" value="vOnw=" />
And then on submit, you remove the extra character before decoding.
Or better yet, upgrade to 2.0.
You've got the essence of the reason. Here's the best link in a response I got from another site:
http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet.security/browse_thread/thread/d91d89511401e979