|
Hi Brad and Joe - Definitely, BUT ... I would recommend using the named entity codes rather than the numeric. E.g. translate < to < rather than < etc. This helps avoid code point problems. Ken Southern Wine and Spirits of Nevada, Inc. Opinions expressed are my own and do not necessarily represent the views of my employer or anyone in their right mind. > -----Original Message----- > From: Stone, Brad V (TC) [SMTP:bvstone@taylorcorp.com] > Sent: Monday, February 12, 2001 05:17 > To: 'JAVA400-L@midrange.com' > Subject: RE: Source Evaluation? > > I agree, Joe. This applies to all CGI programming, not just Java, though > (which should be pointed out for anyone lurking <bg>). > > Brad > > > -----Original Message----- > > From: Joe Teff [mailto:JoeTeff@earthlink.net] > > Sent: Saturday, February 10, 2001 2:28 PM > > To: JAVA400-L > > Subject: RE: Source Evaluation? > > > > > > I would make a slight change to your routine that writes > > dynamic data as > > HTML: > > > > public void writeDetail(String[] fieldList, ResultSet rs, > > PrintWriter > > out) { > > try { > > while(rs.next()) { > > out.println("</tr><tr>"); > > for(int i=0; i<fieldList.length; i++) { > > > > out.println("<td>" + > > encode(rs.getString(fieldList[i]).trim()) + > > "</td>"); > > } > > } > > } catch (Exception e) { > > out.println("<br>Error Message (writeDetail): " + e); > > } > > } > > > > This is an example of an encode() method: > > > > public static String encodeData(String str) { > > StringBuffer encoded = new StringBuffer(str.length()*2); > > for (int i=0; i<str.length(); i++) { > > switch (str.charAt(i)) { > > case '<' : encoded.append("<"); break; > > case '>' : encoded.append(">"); break; > > case '"' : encoded.append("""); break; > > case '\'' : encoded.append("'"); break; > > case '%' : encoded.append("%"); break; > > case ';' : encoded.append(";"); break; > > case '(' : encoded.append("("); break; > > case ')' : encoded.append(")"); break; > > case '&' : encoded.append("&"); break; > > case '+' : encoded.append("+"); break; > > default : encoded.append(str.charAt(i)); > > } > > } > > return encoded.toString(); > > } > > > > This is a standard defense against one of the hacking > > techniques. Imagine > > if someone had keyed the following into a field like an address: > > > > [script]alert('Hi fathead!');[/script] > > > > (The mailing list bounced my original message because of the > > beginning and > > ending script tags. You'll have to substiture <> for [] in my > > example.) > > > > Anybody that knows a little about JavaScript can see what will happen > > if this data was included in your HTML. Imagine the kind of > > things that > > you could do. > > > > Joe Teff > > > > +--- > > | This is the JAVA/400 Mailing List! > > | To submit a new message, send your mail to JAVA400-L@midrange.com. > > | To subscribe to this list send email to JAVA400-L-SUB@midrange.com. > > | To unsubscribe from this list send email to > > JAVA400-L-UNSUB@midrange.com. > > | Questions should be directed to the list owner: joe@zappie.net > > +--- > > > +--- > | This is the JAVA/400 Mailing List! > | To submit a new message, send your mail to JAVA400-L@midrange.com. > | To subscribe to this list send email to JAVA400-L-SUB@midrange.com. > | To unsubscribe from this list send email to > JAVA400-L-UNSUB@midrange.com. > | Questions should be directed to the list owner: joe@zappie.net > +--- +--- | This is the JAVA/400 Mailing List! | To submit a new message, send your mail to JAVA400-L@midrange.com. | To subscribe to this list send email to JAVA400-L-SUB@midrange.com. | To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com. | Questions should be directed to the list owner: joe@zappie.net +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.