In my jsf webapplication i'm using a messages.properties to output some text. This text could have html line breaks so format the outputtext.
That all works fine, if i set the escape="false" attribute to the outputtext.
The problem is, this attribute with value "false" doesn't prevent vor XSS (cross site scripting) so i remove this attribute and use default-value "true".
So, i dont want to split all text lines to seperate properties in my messages.properties like in this example:
mytext = This is my text<br />with line break and user value {0}...
after:
mytext1 = This is my text
mytext2 = with line break and user value {0}...
is there any way, other than escape="false" but that prevent from xss?
thanks!
It should be possible to just escape the user supplied parameter using the standard jstl functions in the http://java.sun.com/jsp/jstl/functions namespace:
<h:outputFormat value="#{bundle.myMessage}" escape="false">
<f:param value="#{fn:escapeXml(param)}"/>
</h:outputFormat>
XSS can't happen if you're outputting some HTML from a safe source which is not input or editable by the user. You can safely use escape="false" in this case.
Related
I'v a little problem with my Spring Boot application. I am fetching results from my MySQL and the plain text is for example:
<b>Hello World</b>
I am displaying it in the view, and the output I am getting is:
<b>Hello World</b>
I want to get this:
Hello World
How can I display those html tags (<b>, <a>, <font size> etc.)?
In a JSP, the <c:out value="${...}" /> tag automatically escapes the value so the characters <, >, &, ', and " will display correctly. This is as it should be, because without escaping your users may be vulnerable to cross-site scripting attacks.
There are two ways to insert HTML text without getting it escaped:
Ask the tag to not escape: <c:out value="${...}" escapeXml="false" />
Don't use the tag: ${...}
I'd recommend the first option, because it clearly documents that the lack of escaping is intentional.
Beware: If that text comes from a user, a malicious user may inject client-side scripts to attack all your other users.
I want to display the error message in two lines in Struts2
User Name is not valid
Password is not valid
and my property is:
username.password.errrorMsg: User Name is not valid \n Password is not valid.
I added \n but its displaying in single line.
Can you suggest to display in two lines?
If you use a message format then \n symbol add a new line character. If you want to display this message with actionerror or actionmessage tags you need to use <br> and let it not escape. For example
<s:actionmessage escape="false"/>
Because new line/breaking character depends on where do you use/show message it is better to use different messages for that.
invalid.userName = User Name is not valid
invalid.password = Password is not valid
In this way you can use them separately in case you want to show specific message and display them as you want.
If you displaying them in HTML/JSP using S2 <s:text> tag then <br/> should work. But several tags are escaping HTML so for example to use this kind of message in <s:property> with getText() you need to set escapeHTML attribute to false.
Probably < br/> (without the space between < and b :P), as the output format is html.
First of all, sorry for the bad title but I don't know how to describe it better.
My problem:
I want to display pictures in a <p:lightbox> element. Unfortunately the pictures contain '#' characters in their fileneame, so they look like this for example: desert_#1#.jpg.
Here is my code:
<p:panel id="showPics" closable="false" header="Fotos: ">
<p:lightBox styleClass="imagebox">
<p:dataList value="#{myBean.fotoList}" var="fl" >
<h:outputLink value="#{request.contextPath}/resources/pics/#{fl.PictureName}" title="#{fl.PictureName}" >
<h:graphicImage value="#{request.contextPath}/resources/pics/#{fl.PictureName}"/>
</h:outputLink>
</p:dataList>
</p:lightBox>
</p:panel>
the beanvalue #{fl.PictureName} returns the filename, so in our example desert_#1#.jpg
Now when I'm running my application, I get this error message:
Problem accessing /resources/pics/desert_. Reason: Not Found
So my guess is that the # characters in the picturename are recognized as references (or whatever you call them) to a beanmethod/value, which they of course aren't. Therefore the string after the first '#' in the filename isn't recognized anymore.
Unfortunately I cannot simply change the filename to get rid of the '#'s.
Could somebody tell me how to fix this? Thank you in advance!
UPDATE: I'm using JSF2.0 with Primefaces and Primefaces mobile components (since my application is a mobile web application) and Spring webflow framework. My IDE is Netbeans.
On the server side, encode the bean value using URI percent encoding. In this case, the property should use %23 where # is in the filename.
I'm using Java Resource Bundles to manage messages.
I need to display a message in a JSF page and the message also contains some HTML markup.
Unfortunately the HTML code is also displayed on screen instead of been rendered as HTML by the browser:
I.E
Click me here
My message in properties file:
clickme=Click me here
My JSF:
<h:outputText value="#{messages['clickme']}" />
Any ideas?
Thanks
JSF/Facelets escapes by default HTML special characters in order to prevent XSS attacks when redisplaying user-controlled data. You can turn it off on a per-<h:outputText> basis by explicitly setting the escape attribute to false.
<h:outputText value="#{messages['clickme']}" escape="false" />
You only need to make absolutely sure that you don't do this for unsanitized user-controlled data, which is everything which comes in with a HTTP request such as headers, cookies, parameters, body, etc.
In files.jsp I am using following anchor and JSTL c:url combination -
<c:url value="downloadfile.jsp" var="dwnUrl" scope="request">
<c:param name="fileType" value="PDF"/>
<c:param name="fileId" value="${file.fileId}"/>
<c:param name="fileName" value="${file.fileName}"/>
</c:url>
Download
On downloadfile.jsp getting the file name value in JavaScript variable as -
selectedFile = <c:out value='${param.fileName}'>
Now, if file name contains some extra character e.g. XYZ 2/3" Technical then on the other page I am getting some different character as - XYZ 2/3#034; Technical
However, if I print request.getParameter("fileName"), its giving correct name. What is wrong?
The <c:out> by default escapes XML entities, such as the doublequote. This is done so to get well-formed XML and to avoid XSS.
To fix this, you should either get rid of <c:out>, since JSP 2.0, EL works perfectly fine in template text as well:
selectedFile = '${param.fileName}';
.. or, if you're still on legacy JSP 1.2 or older, set its escapeXml attribute to false:
selectedFile = '<c:out value="${param.fileName}" escapeXml="false">';
Note that I have added the singlequotes and semicolon to make JS code valid.
Needless to say, you'll need to keep XSS risks in mind if you do so.
The funky characters in your <c:param> values are being URL encoded by <c:url> as they should be. As far as downloadfile.jsp is concerned, the servlet container takes care of URL decoding incoming variables so you don't have to. This is normal behavior and shouldn't pose any problems for you.
If you simply turn escapeXml to false as #BalusC suggests, you will add an XSS vunerability to your page. Instead, you should encode the user input at the time of injection into the destination language, and escape characters that would be evaluated in the destination language. In this case, if the user input contained a single quote character (I'm assuming the string literal in your original example was supposed to be wrapped in single quotes, but the same would be true for double quotes if you were using them), any JavaScript code that followed it would be interpreted by the browser and executed. To safely do what you are trying to do, you should change the line in downloadfile.jsp to:
selectedFile = '${fn:replace(param.fileName, "'", "\'")}';
That will escape only single quotes, which would otherwise end the string literal declaration.
If you were using double quotes, then this would be appropriate:
selectedFile = "${fn:replace(param.fileName, '"', '\"')}";
It is worth noting that escapeXml could be appropriate for escaping JavaScript string literals (and it often is) when the string literal will eventually be dumped into HTML markup. However, in this case, the value should not be XML escaped as it is evaluated in the context of a file path, rather than in the context of HTML.