× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. JAVA400-L
  3. February 2001

RE: Source Evaluation?

  • Subject: RE: Source Evaluation?
  • From: "Joe Teff" <JoeTeff@xxxxxxxxxxxxx>
  • Date: Sat, 10 Feb 2001 14:27:51 -0600
  • Importance: Normal
 
I would make a slight change to your routine that writes dynamic data as
HTML:

   public void writeDetail(String[] fieldList, ResultSet rs, PrintWriter
out) {
     try {
       while(rs.next()) {
         out.println("</tr><tr>");
         for(int i=0; i<fieldList.length; i++) {

           out.println("<td>" + encode(rs.getString(fieldList[i]).trim()) +
"</td>");
         }
       }
     } catch (Exception e) {
       out.println("<br>Error Message (writeDetail): " + e);
     }
   }

This is an example of an encode() method:

   public static String encodeData(String str) {
     StringBuffer encoded = new StringBuffer(str.length()*2);
     for (int i=0; i<str.length(); i++) {
       switch (str.charAt(i)) {
         case '<'  : encoded.append("&#60;"); break;
         case '>'  : encoded.append("&#62;"); break;
         case '"'  : encoded.append("&#34;"); break;
         case '\'' : encoded.append("&#39;"); break;
         case '%'  : encoded.append("&#37;"); break;
         case ';'  : encoded.append("&#59;"); break;
         case '('  : encoded.append("&#40;"); break;
         case ')'  : encoded.append("&#41;"); break;
         case '&'  : encoded.append("&#38;"); break;
         case '+'  : encoded.append("&#43;"); break;
         default   : encoded.append(str.charAt(i));
       }
     }
     return encoded.toString();
   }

This is a standard defense against one of the hacking techniques. Imagine
if someone had keyed the following into a field like an address:

    [script]alert('Hi fathead!');[/script]

(The mailing list bounced my original message because of the beginning and
ending script tags. You'll have to substiture <> for [] in my example.)

Anybody that knows a little about JavaScript can see what will happen
if this data was included in your HTML. Imagine the kind of things that
you could do.

Joe Teff

+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.