xml.append("<alertDesc>");
xml.append(desc);
xml.append("</alertDesc>");
response.getWriter().write(xml.toString());
response.setContentType("text/xml");
response.setHeader("Cache-Control", "no-cache");
xml is a StringBuffer object.
I have this piece of code and there is some leakage of sensitive data from the syntax response.getWriter().write(xml.toString());. I don't have any idea of this thing.
Can any one tell me something about this? This issue is been reported by a code audit tool.
Its a wild guess, but did you forget to close a variable?
use validator and escaping techniches from ESAPI to wrap the desc field It will help!!!!!
Related
I have used this code to decode a URI string:
java.net.URLDecoder.decode(request.getParameter("comment"), "UTF-8"). and it works. e.g.
Input: cl%C4%81mor
Output: clāmor
But when I use #MultipartConfig in my java servlet file, this happens:
Input: cl%C4%81mor
Output: cl%C4%81mor
I am not sure why this didn't work. Can you tell me why this happened and/or how to fix it? Thanks in advance.
Could it be that #MultipartConfig changes the default request encoding in your setup? Can you check what request.getCharacterEncoding() returns UTF-8? Is the value returned from request.getParameter("comment") different after you add #MultipartConfig.
It would be easier to answer if you would provide more information about your setup. If you are using Spring with JEE annotations maybe you want to look at this answer.
Good afternoon,
I'm trying resolve the classic encoding error in java, but I don't know what to do...
I try:
add on jsp: <%#page contentType="text/html"pageEncoding="UTF-8"%>
use "SQL_Latin1_General_CP1_CI_AS" no select(sqlserver)
add "CharacterSet=UTF-8" on String conection of jdbc
add response.setContentType("application/json"); and response.setCharacterEncoding("utf-8"); on servlet
but nothing works!!!!
SGBD: SQL Server
Server: GlassFish
Exemple record of database "Está"
what can I do?
Seems that you have jtds parameter sendStringParametersAsUnicode=false
One solution is to change it to true. If not then:
SQL_Latin1_General_CP1_CI_AS is CP-1252 (Windows-1252) encoding, so to search in database you need to encode your Unicode string to Windows-1252:
new String(value.getBytes("UTF-8"), "Windows-1252")
Vice versa after read from database:
new String(value.getBytes("Windows-1252"), "UTF-8")
Hard to understand the title I know. I am importing keywords from a CSV File in a format like this:
"Business Intelligence";
"Big Data";
with doublequotes. Afterwards I do a HTTP GET Request with each of these Keywords like this:
"http://www.stepstone.de/5/ergebnisliste.html?ke="+ context.keywordname +"&li=1000000"
My outputfile does this:
"C:/Talend/workspace/WEBCRAWLER/output/keywords_" + context.keywordname +".txt"
Obviously you can't write double quotes in the file name. What can I do as a workaround?
I already tried adding " in the get request, but it didn't work out unfortunatelly!
Thank you!
Use HTML encode on the files:
"Business Intelligence";"Big Data";
would become
"Business Intelligence";"Big Data";
I used the following site: http://www.opinionatedgeek.com/DotNet/Tools/HTMLEncode/encode.aspx
Unfortunately there's no easy way to that that in Talend, however you could try to use:
java.net.URLEncoder
http://docs.oracle.com/javase/7/docs/api/java/net/URLEncoder.html
if you want to create file name with keyword then you can replace/remove keywords double quotes using replace function please check below code, i think this will work for you.
"C:/Talend/workspace/WEBCRAWLER/output/keywords_" + context.keywordname.replace("\"\"", "") +".txt"
I want a user to be able to submit a url, and then display that url to other users as a link.
If I naively redisplay what the user submitted, I leave myself open to urls like
http://somesite.com' ><script>[any javacscript in here]</script>
that when I redisplay it to other users will do something nasty, or at least something that makes me look unprofessional for not preventing it.
Is there a library, preferably in java, that will clean a url so that it retains all valid urls but weeds out any exploits/tomfoolery?
Thanks!
URLs having ' in are perfectly valid. If you are outputting them to an HTML document without escaping, then the problem lies in your lack of HTML-escaping, not in the input checking. You need to ensure that you are calling an HTML encoding method every time you output any variable text (including URLs) into an HTML document.
Java does not have a built-in HTML encoder (poor show!) but most web libraries do (take your pick, or write it yourself with a few string replaces). If you use JSTL tags, you get escapeXml to do it for free by default:
ok
Whilst your main problem is HTML-escaping, it is still potentially beneficial to validate that an input URL is valid to catch mistakes - you can do that by parsing it with new URL(...) and seeing if you get a MalformedURLException.
You should also check that the URL begins with a known-good protocol such as http:// or https://. This will prevent anyone using dangerous URL protocols like javascript: which can lead to cross-site-scripting as easily as HTML-injection can.
I think what you are looking for is output encoding. Have a look at OWASP ESAPI which is tried and tested way to perform encoding in Java.
Also, just a suggestion, if you want to check if a user is submitting malicious URL, you can check that against Google malware database. You can use SafeBrowing API for that.
You can use apache validator URLValidator
UrlValidator urlValidator = new UrlValidator(schemes);
if (urlValidator.isValid("http://somesite.com")) {
//valid
}
I need to fix a issue for xss vulnerability. the code segment is below.
StringBuffer xml = new StringBuffer();
xml.append("<?xml version=\"1.0\"?>");
xml.append("<parent>");
xml.append("<child>");
for(int cntr=0; cntr < dataList.size(); cntr++){
AAAAA obj = (AAAAA) dataList.get(cntr);
if(obj.getStatus().equals(Constants.ACTIVE)){
xml.append("<accountNumber>");
xml.append(obj.getAccountNumber());
xml.append("</accountNumber>");
xml.append("<partnerName>");
xml.append(obj.getPartnerName());
xml.append("</partnerName>");
xml.append("<accountType>");
xml.append(obj.getAccountType());
xml.append("</accountType>");
xml.append("<priority>");
xml.append(obj.getPriority());
xml.append("</priority>");
}
}
xml.append("</child>");
xml.append("</parent>");
response.getWriter().write(xml.toString());
response.setContentType("text/xml");
response.setHeader("Cache-Control", "no-cache");
The issue is at the line having the syntax response.getWriter().write(xml.toString()); It says that it is vulnerable for xss attack. I have done sufficient home work and also installed ESAPI 2.0. but I donot know how to implement the solutions.
Please suggest a solution.
You should always escape any text and attribute nodes you insert into an XML document, so I would expect to see
xml.append("<accountType>");
xml.append(escape(obj.getAccountType()));
xml.append("</accountType>");
where escape() looks after characters that need special treatment, eg. "<", "&", "]]>", and surrogate pairs.
Better still, don't construct XML by string concatenation. Use a serialization library that allows you to write
out.startElement("accountType");
out.text(obj.getAccountType());
out.endElement();
(I use a Saxon serializer with the StAX XMLStreamWriter interface when I need to do this, but there are plenty of alternatives available.)
As I can understand:
AAAAA obj = (AAAAA) dataList.get(cntr);
here you have got some data from external source.
Then you've got to validate this data. Otherwise anyone can put any data there, that would cause the destruction on client side (cookies will be stolened for example).
ANSWER-- the code using the ESAPI is below.
xml.append(ESAPI.encoder().encodeForXML(desc));
It will escape the data in the variable 'desc'. By the implementation of this, the content in the variable 'desc' will be readed as data not executable code and hence the data will not get executed in the browser on the response of the back end java code.