|
I agree, Joe. This applies to all CGI programming, not just Java, though (which should be pointed out for anyone lurking <bg>). Brad > -----Original Message----- > From: Joe Teff [mailto:JoeTeff@earthlink.net] > Sent: Saturday, February 10, 2001 2:28 PM > To: JAVA400-L > Subject: RE: Source Evaluation? > > > I would make a slight change to your routine that writes > dynamic data as > HTML: > > public void writeDetail(String[] fieldList, ResultSet rs, > PrintWriter > out) { > try { > while(rs.next()) { > out.println("</tr><tr>"); > for(int i=0; i<fieldList.length; i++) { > > out.println("<td>" + > encode(rs.getString(fieldList[i]).trim()) + > "</td>"); > } > } > } catch (Exception e) { > out.println("<br>Error Message (writeDetail): " + e); > } > } > > This is an example of an encode() method: > > public static String encodeData(String str) { > StringBuffer encoded = new StringBuffer(str.length()*2); > for (int i=0; i<str.length(); i++) { > switch (str.charAt(i)) { > case '<' : encoded.append("<"); break; > case '>' : encoded.append(">"); break; > case '"' : encoded.append("""); break; > case '\'' : encoded.append("'"); break; > case '%' : encoded.append("%"); break; > case ';' : encoded.append(";"); break; > case '(' : encoded.append("("); break; > case ')' : encoded.append(")"); break; > case '&' : encoded.append("&"); break; > case '+' : encoded.append("+"); break; > default : encoded.append(str.charAt(i)); > } > } > return encoded.toString(); > } > > This is a standard defense against one of the hacking > techniques. Imagine > if someone had keyed the following into a field like an address: > > [script]alert('Hi fathead!');[/script] > > (The mailing list bounced my original message because of the > beginning and > ending script tags. You'll have to substiture <> for [] in my > example.) > > Anybody that knows a little about JavaScript can see what will happen > if this data was included in your HTML. Imagine the kind of > things that > you could do. > > Joe Teff > > +--- > | This is the JAVA/400 Mailing List! > | To submit a new message, send your mail to JAVA400-L@midrange.com. > | To subscribe to this list send email to JAVA400-L-SUB@midrange.com. > | To unsubscribe from this list send email to > JAVA400-L-UNSUB@midrange.com. > | Questions should be directed to the list owner: joe@zappie.net > +--- > +--- | This is the JAVA/400 Mailing List! | To submit a new message, send your mail to JAVA400-L@midrange.com. | To subscribe to this list send email to JAVA400-L-SUB@midrange.com. | To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com. | Questions should be directed to the list owner: joe@zappie.net +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
