together
I ty to build a SOAP Request with SAAJ. All works fine but now I have to send an other XMl Document inside the SOAP Body inside SOAP Element.
I tried follwing code:
SOAPElement file = service.addChildElement(new QName("nameOfTextNode"));
file.addTextNode(xmlString);
The Problem is most characters are correctly escaped (e.g. '<' -> <) but not single or double quotes. I can't use CDATA or let the quotes as they are, because i don't have control over the SOAP Service and they can't support CDATA or want to change anything.
When I use anothe Library to escape the String first. It will be escaped twice in the SOAP Request.
Do aynone have an idea? Please help.
SAAJ doesn't escape single or double quotes in this case because it's not required. If the service requires that, then it doesn't conform to the XML specification and therefore isn't a SOAP service. Since SAAJ implements SOAP, you won't be able to use it.
Related
I have a restful service(jersey) that returns a url with request parameters in one of the tags. Example :
<url>http://abc:9080/testMe.jsp?req1=a&req2=b</url>
(It's part of the response)
When I get the response, I get as below ('&' becomes '& a m p;', without any space. I added space to avoid escaping here):
<url>http://abc:9080/testMe.jsp?req1=a&req2=b</url>
I looked up in google and found many ways to do it in jaxb but nothing in Restful (JAXRS). Also, I tried a lame solution of adding backslash but with no success.
How can I prevent it from happening in java 1.6?
There is nothing you should change, since this is like XML works: & is a special character in XML and any & contained in text is escaped as &
Your expected result ...=a&req2=b... would not be a well-formed XML document, whereas the result returned by Jersey is well-formed.
When you want to access the url value in the response document, you will need to parse the response with a XML parser (e.g. into a DOM document) and the parsed document will have the url value as you expect.
I'm working on a webservice where, i created the wsdl and generated the java classes using apache axis2.
The problem I'm trying to solve is, while creating web service response I have to set text with special characters like Books & Pens Or Value is <10> in some of the fields. I am looking for ways to just put these field content in CDATA sections.
Example response my WebService has to send:
<BOOKSHOP>
<ITEM><![CDATA[BOOKS & PENS]]></ITEM>
</BOOKSHOP>
I'm not able to find a way to do this. I have googled but found no solution.
Any help would be really appreciated.
I'm aware of converting these special characters explicitly into & amp ; or & lt; but that does not work for us.
Also, We want to put just the required fields in CDATA and not entire XML response.
I tried #XmlCDATA but it works only if my text is XML structured.
I need to fix a issue for xss vulnerability. the code segment is below.
StringBuffer xml = new StringBuffer();
xml.append("<?xml version=\"1.0\"?>");
xml.append("<parent>");
xml.append("<child>");
for(int cntr=0; cntr < dataList.size(); cntr++){
AAAAA obj = (AAAAA) dataList.get(cntr);
if(obj.getStatus().equals(Constants.ACTIVE)){
xml.append("<accountNumber>");
xml.append(obj.getAccountNumber());
xml.append("</accountNumber>");
xml.append("<partnerName>");
xml.append(obj.getPartnerName());
xml.append("</partnerName>");
xml.append("<accountType>");
xml.append(obj.getAccountType());
xml.append("</accountType>");
xml.append("<priority>");
xml.append(obj.getPriority());
xml.append("</priority>");
}
}
xml.append("</child>");
xml.append("</parent>");
response.getWriter().write(xml.toString());
response.setContentType("text/xml");
response.setHeader("Cache-Control", "no-cache");
The issue is at the line having the syntax response.getWriter().write(xml.toString()); It says that it is vulnerable for xss attack. I have done sufficient home work and also installed ESAPI 2.0. but I donot know how to implement the solutions.
Please suggest a solution.
You should always escape any text and attribute nodes you insert into an XML document, so I would expect to see
xml.append("<accountType>");
xml.append(escape(obj.getAccountType()));
xml.append("</accountType>");
where escape() looks after characters that need special treatment, eg. "<", "&", "]]>", and surrogate pairs.
Better still, don't construct XML by string concatenation. Use a serialization library that allows you to write
out.startElement("accountType");
out.text(obj.getAccountType());
out.endElement();
(I use a Saxon serializer with the StAX XMLStreamWriter interface when I need to do this, but there are plenty of alternatives available.)
As I can understand:
AAAAA obj = (AAAAA) dataList.get(cntr);
here you have got some data from external source.
Then you've got to validate this data. Otherwise anyone can put any data there, that would cause the destruction on client side (cookies will be stolened for example).
ANSWER-- the code using the ESAPI is below.
xml.append(ESAPI.encoder().encodeForXML(desc));
It will escape the data in the variable 'desc'. By the implementation of this, the content in the variable 'desc' will be readed as data not executable code and hence the data will not get executed in the browser on the response of the back end java code.
I have a servlet which receive some parameter from the client ,then do some job.
And the parameter from the client is Chinese,so I often got some invalid characters in the servet.
For exmaple:
If I enter
http://localhost:8080/Servlet?q=中文&type=test
Then in the servlet,the parameter of 'type' is correct(test),however the parameter of 'q' is not correctly encoding,they become invalid characters that can not parsed.
However if I enter the adderss bar again,the url will changed to :
http://localhost:8080/Servlet?q=%D6%D0%CE%C4&type=test
Now my servlet will get the right parameter of 'q'.
What is the problem?
UPDATE
BTW,it words well when I send the form with post.
WHen I send them in the ajax,for example:
url="http://..q='中文',
xmlhttp.open("POST",url,true);
Then the server side also get the invalid characters.
It seems that just when the Chinese character are encoded like %xx,the server side can get the right result.
That's to say http://.../q=中文 does not work,
http://.../q=%D6%D0%CE%C4 work.
But why "http://www.google.com.hk/search?hl=zh-CN&newwindow=1&safe=strict&q=%E4%B8%AD%E6%96%87&btnG=Google+%E6%90%9C%E7%B4%A2&aq=f&aqi=&aql=&oq=&gs_rfai=" work?
Ensure that the encoding of the page with the form itself is also UTF-8 and ensure that the browser is instructed to read the page as UTF-8. Assuming that it's JSP, just put this in very top of the page to achieve that:
<%# page pageEncoding="UTF-8" %>
Then, to process GET query string as UTF-8, ensure that the servletcontainer in question is configured to do so. It's unclear which one you're using, so here's a Tomcat example: set the URIEncoding attribute of the <Connector> element in /conf/server.xml to UTF-8.
<Connector URIEncoding="UTF-8">
For the case that you'd like to use POST, then you need to ensure that the HttpServletRequest is instructed to parse the POST request body using UTF-8.
request.setCharacterEncoding("UTF-8");
Call this before you access the first parameter. A Filter is the best place for this.
See also:
Unicode - How to get the characters right?
Using non-ASCII characters as GET parameters (i.e. in URLs) is generally problematic. RFC 3986 recommends using UTF-8 and then percent encoding, but that's AFAIK not an official standard. And what you are using in the case where it works isn't UTF-8!
It would probably be safest to switch to POST requests.
I believe that the problem is on sending side. As I understood from your description if you are writing the URL in browser you get "correctly" encoded request. This job is done by browser: it knows to convert unicode characters to sequence of codes like %xx.
So, try to check how do you send the request. It should be encoded on sending.
Other possibility is to use POST method instead of GET.
Do read this article on URL encoding format "www.blooberry.com/indexdot/html/topics/urlencoding.htm".
If you want, you could convert characters to hex or Base64 and put them in the parameters of the URL.
I think it's better to put them in the body (Post) then the URL (Get).
i have html form with textarea in which i paste some XML, for example:
<network ip_addr="10.0.0.0/8" save_ip="true">
<subnet interf_used="200" name="lan1" />
<subnet interf_used="254" name="lan2" />
</network>
When user submit form, that data is send to Java server, so in headers i get something like that:
GET /?we=%3Cnetwork+ip_addr%3D%2210.0.0.0%2F8%22+save_ip%3D%22true%22%3E%0D%0A%3Csubnet+interf_used%3D%22200%22+name%3D%22lan1%22+%2F%3E%0D%0A%3Csubnet+interf_used%3D%22254%22+name%3D%22lan2%22+%2F%3E%0D%0A%3C%2Fnetwork%3E HTTP/1.1
how can i use that in my Java applications? I need to make some calculations on that data and re-send new generated XML.
This answer shows how to use the URLDecoder/URLEncoder classes to decode and encode url strings. It should work if you passed the 'GET' string to the URLDecoders decode method.
To answer your following question (comment)
First you need to extract this xml based response from the url string. Maybe it's enough to create a substring starting with the first < char.
The String should be fed into a XML parser to create a DOM document. The last easy task would be walking through that document and copying the values to your internal network model.
Do not think about using RegExp to extract the data. Use a parser.