I am passing some param with value from my JSP file and before that I am using Apache StringEscapeUtils to avoid any XSS attack script execution using param value
for example, if somebody inserting value like this and gain access
Cross script test is currently failing when something like this is passed as value
site_locale=en_US%2F%3E%3Ciframe+src%3Djavascript%3Aalert%28116%29+
Blind SQL Injection test is currently failing when something like this is passed
isMgr=true%27+and+%27f%27%3D%27f%27%29+--+
My question here is whether StringEscapeUtils.escapeHtml will save from above type of param value passed or do i need any other library
I also wanted to confirm if the way I am calling StringEscapeUtils in JSP is correct or not
<input type="hidden" name="site_locale" value= <%= StringEscapeUtils.escapeHtml(site_locale) %> >
Appreciate any pointers here
Thanks
Try this.
Utility class for HTML form encoding
URLEncoder.encode(yoururlhere, "UTF-8")
Similar way, we have
java.net.URLDecoder.decode(yoururlhere, "UTF-8");
Related
I want to read the form parameter data using scriptlet in #jsp. But i do not want to use any java code in JSP. Then do i need Expression Language or #JSTL or what?
Just noting this here in case anyone else has a similar issue.
If you're directing a request directly to a JSP, using Apache Tomcat web.xml configuration, then ${requestScope.attr} doesn't seem to work, instead ${param.attr} contains the request attribute attr.
In PHP we can do the following with the help of Variable variables in PHP:
$privateVar = 'Hello!';
$publicVar = 'privateVar';
echo $$publicVar; // Hello!
Suppose we have the following chunk of Java code:
request.setAttribute("privateVar", "Hello!");
request.setAttribute("publicVar", "privateVar");
I've tried the following but an error occurs.
${${publicVar}}
Does anyone know how we can get value of privateVar via using only publicVar in JSP (JSTL)?
UPDATE 1:
I have a custom tag which allows to print a message if an object foo doesn't have a field bar.
I know I must catch exceptions in the case but I don't want to handle ones in JSP. I want to do it only in CustomTag file.
<%-- JSP file --%>
<ctf:tagName varName="foo.bar" />
<%-- CustomTag file --%>
<%# attribute name="varName" required="true" rtexprvalue="true"%>
<c:catch var="exception">
<c:set var="valX" value="${${varName}}" scope="page"/>
</c:catch>
<c:if test="${exception != null}">Can't find getter for the VAR in the OBJ.</c:if>
UPDATE 2:
JB Nizet gave me the answer and the following works well! :)
<c:set var="privateVar" value="Hello!" />
<c:set var="publicVar" value="privateVar" />
${pageScope[pageScope.publicVar]}
I don't think you can directly do this in the same way that you can in PHP. Instead you could change the attribute to use the value of the privateVar instead of the name, like this:
String privateVar = "Hello!";
request.setAttribute("privateVar", privateVar);
request.setAttribute("publicVar", privateVar);
This gives you access to the value under both names, which I think is the closest you'd get. No need to even put the attribute privateVar in the request if you are ultimately going to use publicVar on the JSP.
Ultimately you may want to rethink the design here as it doesn't really work in Java.
The basics:
That's not JSTL but Expression Language. And you should only use a single ${} evaluator. The code would be:
${publicVar}
More info:
StackOverflow Expression Language wiki
To your problem:
Expression Language doesn't allow that. You cannot have private attributes in any scope (page, request, session, application), so you can at most set the attribute twice with different names but the same value. But as you may note, this is useless.
I have in my java classes static variables CONSTANT_1, CONSTANT_2...
What is the best way to share these constants with my javascript functions or if there is a JQuery plugin for this.
Till now the only solution I can think of, is an ajax call in the beginning, to send these static variables to the client.
Thanks
I dont know whether this the best way or not, but it works.
var constant1=<%=class.CONSTANT_1%>;
you can set this static variable in a hidden field, then you can access it by javascript using this hidden field
<input type="hidden" value="<your static variable>" id="staticVariable" />
<script type="text/javascript">
function getStaticField(){
return document.getElementById("staticVariable").value;
}
</script>
I have faced this problem before. what i did is simply i declared hidden input field that i can access on the server side and set it's value with whatever i want.
<input type="hidden" runat="server" id="hiddenInput" />
then using the programming language(I use c#):
hiddenInput.Value = ValueOnServerSide;
Then using jQuery i get the value of this input on the client side.
$("[id$='hiddenInput']").val();
There is Technology called 'DWR' (directwebremoting).
By using this we can access Java classes directly in Javascript.
Try this, it may helpful to you.
Refference Links:
http://directwebremoting.org/dwr/introduction/getting-started.html
http://directwebremoting.org/dwr/introduction/scripting-dwr.html
You can use AJAX calls to get the value of the constants if you dont want to keep reloading the page.
If you are fine with the value only updating on refresh you can do what Sainath has told, this way you are not making unnecessary AJAX calls:
var constant1=<%=class.CONSTANT_1%>;
Can anyone help me to understand the usage of TypedProperty in websphere commerce?
ie,How to pass values from one jsp to other using TypedProperty without a command class.I would prefer to handle it in my client side itself without invoking Command class..can anyone help me to sort out it?
Typed property is usually used to pass values from controller commands to JSPs. If you just want to pass values from one JSP to another, create a form in your first JSP and submit it to the second.
If this is a form submit, set the values you need to pass in element. In the results jsp you can get those values using ${WCParam.xxx} .
FYI - To list out all the values in WCParam object try to print the below in JSP :
${WCParamValues}
We use typedProperty when we need to send anything from the command. For example, you give an order ID from the first JSP and want to get the final amount to be passed the result JSP. Here in the command we use the orderID from the request object -> Then we use the OrderAccessBean to get the OrderTotal -> then we set this to a TypedProperty object -> we then set this TypedProperty object to request properties using setRequestProperties() OOB method in a controller command.
Hope this makes it clear !
TypedProperty is a class in Java which can be compared to Hashmap in Java for better understanding. It is a name value pair combination.
I just wanted to understand the problem before answering further.
Why do you want to use TypedProperty in Jsp to pass the value from one jsp to another?
Are you importing the second jsp or including the second jsp to which you have to pass the values to?
If you are importing, you can use c:param tag to pass the values to the second jsp.
For included jsps, the values are already available in the second JSP.
Please include code snippets to explain your problem so that it can be answered clearly.
You can pass parameters from one jsp to another by using the following code snippet:
<c:import url="child.jsp">
<c:param name="name1" value="value1" />
<c:param name="name2" value="value2" />
<c:param name="name3" value="value3" />
</c:import>
Within the child.jsp you can read the parameters by using:
<c:out value="${param.name1}" />
<c:out value="${param.name2}" />
<c:out value="${param.name3}" />
A TypedProperty is nothing but a Wrapper to HashMap. So that's nothing to do here with passing values from one JSP to another JSP. Without invoking a command, you can't pass a Java object to another JSP.
And that is the very basic of Command Framework. I would prefer to go with the first answer.
I am redirecting to a JSP that has to print the whole incoming query string. Like in this other question, Request parameter in jsp page, I do not want to access one parameter but the whole query string which I would accomplish in a scriptlet like: <%= request.getQueryString() %>
Thanks!
You can get the paramater object by OGNL stack value #parameters
http://struts.apache.org/2.0.14/docs/ognl-basics.html
If you want to iterate it, you can do something like ( this example create hidden input for each param)
<s:iterator value="#parameters" var="param">
<s:hidden name="%{#param.key}" value="%{#param.value}" />
</s:iterator>
You can user s:iterator tag in struts2 and you can get your string value in Jsp by OGNL lang which is supported by Struts2 without writing code in Scriptlet.
Please check below links for your reference.
http://www.vaannila.com/struts-2/struts-2-example/struts-2-ognl-expression-language-example-1.html
http://www.vaannila.com/struts-2/struts-2-example/struts-2-iterator-tag-example1.html