I have a Java/JSP webapp that has started showing a bug after I added fn:escapeXml() to a tag that constructs a URL.
The original code was
<p id="provide-link">
Follow this link to see the source data:
<q:link href="../resources/source-data.jsp"
sourceData="${chart.parameters.source}">
Source Data
</q:link>
</p>
q:link is a custom tag that creates a hyperlink out of href as the base and sourceData as a GET parameter. For example, if chart.parameters.source = 'dataset03', then the link embedded in the page is
../resources/source-data.jsp&sourceData=dataset03.
The custom tag q:link is written to handle cases where chart.parameters.source is a Collection of multiple data sources, which is an allowed case.
This code works normally, but is vulnerable to script insertion attacks due to the GET parameter. Thus, I've added the JSTL function escapeXml() to the code to prevent this:
<p id="provide-link">
Follow this link to see the source data:
<q:link href="../resources/source-data.jsp"
sourceData="${fn:escapeXml(chart.parameters.source)}">
Source Data
</q:link>
</p>
When I do this, square brackets get added to the URL:
../resources/source-data.jsp&sourceData=[dataset03]
This is a problem because [dataset03] is not a valid value for the parameter.
The only thing I've found online about this problem is this question, which doesn't provide a full answer but suggests that ${fn:escapeXml(chart.parameters.source)} might be outputting as an Array now that it includes fn:escapeXml(). The theory is that q:link then catches and retains the Array brackets when it converts to String.
Anyone know what's happening and how to stop it?
Your last suggestion seems correct to me, the fn:escapeXml function has an argument of type String. If the parameter passed is a Collection, it will be converted through a toString() method (that add the []). It appends before the fn:escapeXml() call, so it’s not added inside it.
Rem: it doesn’t append without the escapeXml function because your custom tag retrieve and work on the Collection directly (iterating on its values inside probably).
One solution to convert the Collection passed as argument before passing it to the escapeXml fct; through a tag or EL expression (map()...)
Rem2: instead of using a custom tag to encode your url parameters, there are already these standard JSTL tags that do a similar job :
https://www.tutorialspoint.com/jsp/jstl_core_param_tag.htm
https://www.tutorialspoint.com/jsp/jstl_core_url_tag.htm
Hope that will help,
Kind regards,
Cedric
Related
I am receiving a JSON in the form of a string, need to mask a piece of information, however the JSON strucutre and key-names are always different but value's pattern is recognizable. Question being, what is an efficient way to traverse through String/JSONObject to mask that piece of data.
I've tried turning the String into a JSONObject and traverse through every embedded JSONObject/Array, detect the pattern, and replace that original value with its masked version. But this seems very time consuming when Logging this information out to console.
Value's pattern for reference is a 9-digit (Long) number.
Structure always varies from "{"key1":[{"innerKey1":123456789}]}" to "{"key1":"value1", "key2":{"innerKey1":123456789}"
Sample result : "{"key1":[{"innerKey1":"XXXXXX789"}]}"
If the JSON structure is always provided as optimized single line string you could just find the value in the string and replace it or get even more elaborate and use a regular expression to find the innerKey1:12345 match and replace that.
If this is just for logging purposes you can even implement this as a filter, depending on your logging framework it might be even configurable instead of having to code it.
I'm using the available transformation functions in the org.json library to transform json to xml. It's very simple to do like this.
String xmlStr = XML.toString(new JSONObject(jsonStr));
Everything was perfect until I needed to process some json that contained the content property like this.
{
"content": "X",
...
}
I expected this to convert to
<content>X</content>
but instead it converts to simply X without the opening and closing tags. So I checked the source code for XML.toString and "content" is treated special. The comment in the code says this.
// Emit content in body
I Googled and also found this.
Content text may be placed in a "content" member
However I can't find an explanation of what this is all about. What's the purpose and why would someone want this to be treated in a special way? Also If you can point me to a good explanation that would be quite helpful.
This seems to be a non-optimal implementation decision. The most recent discussion have taken place in org.json issue #394:
"content" is an unfortunately-named keyword in the XML <-> Java transformation. For the history of this issue, please see #344, #286, and #108. For more information about how the keyword works, see XMLTest.java contentOperations() in https://github.com/stleary/JSON-Java-unit-test.
No objection if someone wants to propose a workaround along the lines of #108, or any other approach that does not break existing applications.
There is underscore-java library with static method U.jsonToXml(json). It supports content key name. I am the maintainer of the project.
{
"content": "X"
}
Output:
<?xml version="1.0" encoding="UTF-8"?>
<content>X</content>
The first xpath is working whereas the second not:
First:
"//*[#id='j_idt46:j_username']";
Second:
"//*[contains(#id,'username']";
Why?
To what could be figured out of the information provided, the way you are using contains is possibly inappropriate :
As mentioned by #TuringTux - //*[contains(#id,'username')] could be the possible change if the same lined goes as it is in your code.
Also a good practice to follow in //*[contains(#id,'username')] , would be to replace * by an element type in html.
And lastly there could be chances when you are trying to access elements using //*[contains(#id,'username')], you may be ending up getting a list of these similar WebElements while you might be trying to access only a single at the same time.
In my app, I'm reading a xml file (with JAXB) but there is times that I have empty segments.
I put some examples
<tuv>
<seg>Unknown: the action taken should always be known</seg>
</tuv>
Here I read well the tag "seg", I can get all text "Unknown: the action taken should always be known" but if this text is like this:
<tuv>
<seg><bpt i="1" x-wb-tag="b1" />Unknown<ept i="1" x-wb-tag="/b1" />: the action taken should always be known</seg>
</tuv>
I don't get anything, my variable is empty and I want to get all text "Unknown: the action taken should always be known"
Could I get this text "Unknown: the action taken should always be known"? (I want this like a string)
Note: my variable's value is a "string"
Thanks!
I answer to my question if anybody needs it.
I have used #XmlMixed that return a object list.
Here there are more information: mixed element
i am using replace method for editing text in mysql database and its working well for
every time i try to replace a string by some other string e.g
REPLACE(Eligibility_Points , '(ii)', 'second point is')";
works well for above case
but does not work well in the following case
REPLACE(Eligibility_Points , '(ii)-(iii)', 'second and third point is')";
how should i fix this problem, thanks for your help
Assuming that this is the MySQL REPLACE string function you are talking about, the only reason I can see why the second example wouldn't work is that (maybe) the Eligibility_Points field (or whatever) doesn't contain the first string at all.
Maybe you could provide more context; e.g. what evidence you have that the replace isn't working.
However #vadchen makes a good point. If you do the replacement in the first example, then it will remove all examples that might trigger a replacement in the second example. Maybe you just need to do the "edits" in the reverse order.
There is no need to escape any of the characters in those fragments, either from the Java or SQL perspective.