We Keep Coding

How to set JSTL Core String character encoding

I have a problem to display German special characters.
My Java Bean tests some user input and fills an error message string if there is an error. In the jsp I access the Bean's error message if there is one using JSTL Core like so:
<c:if test="${MyBean.errorMsg != ''}">
<c:out value="${MyBean.errorMsg}" />
</c:if>
The error message is: "Alle Felder müssen ausgefüllt werden.";
It is displayed in Chrome as follows: "Alle Felder müssen ausgefüllt werden."
I tried including the following in the JSP:
<%#page contentType="text/html" pageEncoding="UTF-8"%>
which worked for all text I output directly in JSP but not via the
prefix c.
I tried to set the JSTL character encoding to UTF-8 via FTM:
<%# taglib uri = "http://java.sun.com/jsp/jstl/fmt" prefix = "fmt" %>
<fmt:requestEncoding value = "UTF-8" />
Which did not solve it.
I put the following in the Controller Servlet that handles the request:
request.setCharacterEncoding("UTF-8");
This did not have any effect.

How to solve this XSS security issue in JSP page

We have an very old web server with some JSP pages like below. I think I have checked the input parameter "version" with a whitelist "[a-zA-Z0-9]*". But the CheckMarx still got XSS attach warning: "This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.".
Do you know how to do this correctly in JSP pages ? It just used to display something from the parameter input.
<%# page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%#page import="com.mytest.util.SecurityService"%>
<html>
<%
String version = SecurityService.getSafeContent(request.getParameter("version"));
%>
<head>
<title>My Project</title>
</head>
<body>
<div style="text-align: center">
<table>
<tr>
<td>
<div style="text-align: center"><%=version%></div>
</td>
</tr>
</table>
</div>
</body>
</html>
public class SecurityService{
public static final String PARAM_INVALID_DATA_POINT = "";
public static String getSafeContent(String content) {
if(!StringUtils.isEmpty(content) && content.matches("[a-zA-Z0-9]*")) {
return content;
}
return PARAM_INVALID_DATA_POINT;
}
}
Thanks,

It is because you are doing validation instead of sanitization. Validation is control flow type of approach for checking for vulnerable data (if not valid then...else...). Checkmarx SAST does data flow analysis but not control flow analysis.
While today you could mark it false positive, someone could come in and refactor the code and perhaps inadvertently change your validation regex. Since it is marked false positive, it is possible the broken validation won't be caught. This is a simple regex, but think what might happen if it were a more complicated regex in addition to other validation logic.
If you use something like the ESAPI encoder, it takes your potentially vulnerable input, changes it into a sanitized form, then returns the sanitized form. This would put the ESAPI encoder into the data flow, and should cause the result to be removed. Checkmarx SAST looks for sanitizers on the data flow path and, if a sanitizer is found, the data flow path is not reported as vulnerable.
So you would have code like:
<%
String version = ESAPI.encoder().encodeForHTML(request.getParameter("version"));
%>
There are other encoder options, you'd just have to make sure they are recognized in your version of Checkmarx SAST.

According to your situation, your backend did a strict input limitation, so that it can't be XSS. this warning is a false positive, just ignore.

Iterating over ArrayList in .jsp (MVC2 compliant)

I'm writing a web app that uses a servlet to maintain an ArrayList of VideoData objects (these just contain basic information about movies like the title, type of movie, etc).
The servlet puts this List in the request's scope and forwards both the request and response to a jsp (only part of the servlet code is shown here):
public class VideoServlet extends HttpServlet {
private ArrayList<VideoData> library = new ArrayList<VideoData>();
public void doGet(HttpServletRequest request,
HttpServletResponse response) {
try {
// put ArrayList in Request's scope
request.setAttribute("the_table", library);
request.getRequestDispatcher("/listvideos.jsp").forward(request,
response);
...
The listvideos.jsp is shown below. I'm getting a Tomcat error stating that the uri for the JSTL cannot be resolved. I've used EL in other parts of my jsp code without having to have any special import line like this, and I'm not sure if JSTL is still the preferred way to solve this type of problem while still trying to adhere to MVC2 and keeping all the Java code in the Servlet. Can anyone point me in the right direction here? Ideally I'd like a pure EL solution, if that's possible.
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'
'http://www.w3.org/TR/html4/loose.dtd'>
<%# taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<html>
<head>
<title>Cattle Drive Assignment Servlets-4: Videos</title>
</head>
<body>
<h1>Cattle Drive Assignment Servlets-4: Videos</h1>
<form method='post' action='/videos/VideoServlet'>
Add a video
<br>
<br>
<table border="1">
<tr>
<th>Title</th>
<th>Star</th>
<th>Type</th>
<th>VHS</th>
<th>DVD</th>
<th>Description</th>
</tr>
<c:forEach items="${the_table}" var="movie">
<tr>
<td>${movie.getTitle()}</td>
<td>${movie.getStar()}</td>
<td>${movie.getType()}</td>
<td>${movie.inVHS()}</td>
<td>${movie.inDVD()}</td>
<td>${movie.getDesc()}</td>
</tr>
</c:forEach>
</table>
</form>
</body>
</html>

Your code looks basically correct. Looks like the error you're seeing indicates that the JSTL taglibs cannot be found in the classpath. Please make sure that jstl.jar and standard.jar are in your war's WEB-INF/lib folder.

Nutch Newbie - JSP with html problem

System: Mac OSX
I have set up nutch so that it crawls and indexes my site. It also returns search results. My problem is that I want to customise the Nutch index.jsp and search.jsp pages to fit with my site. Ive read up and on jsp and it says its just a matter of putting in the html tags and then using <% %> to enclose the Java scriplets you want. For some reason nothing changes when i edit the files (index and search)
Here is what the original file displays:
<%# page
session="false"
import="java.io.*"
import="java.util.*"
%><%
String language =
ResourceBundle.getBundle("org.nutch.jsp.search", request.getLocale())
.getLocale().getLanguage();
String requestURI = HttpUtils.getRequestURL(request).toString();
String base = requestURI.substring(0, requestURI.lastIndexOf('/'));
response.sendRedirect(language + "/");
%>
Here is my edited version with sum gibberish test added to test it:
<html>
<head>
</head>
<body>
gigigyigig
<%# page
session="false"
import="java.io.*"
import="java.util.*"
%><%
String language =
ResourceBundle.getBundle("org.nutch.jsp.search", request.getLocale())
.getLocale().getLanguage();
String requestURI = HttpUtils.getRequestURL(request).toString();
String base = requestURI.substring(0, requestURI.lastIndexOf('/'));
response.sendRedirect(language + "/");
%>
ghjgjkbkhb
hjgjvjhvj
</body>
</html>
Nothing has changed tho and the nutch homepage/index.jsp still displays the same as original. This is my first encounter with JSP so its just what ive picked up so far. Can anyone tell me why the page isnt displaying the html with gibberish typed??

I have my search totaly modified. However I have my <html>... tags after the second scriptlet ie <% %> not <%# page.
As for your index.jsp modified it has a redirection response.sendRedirect and therefore it looks normal to me that you see nothing.
Also I presume you took care of loading the jsp pages at the right place under the tomcat/webapps tree, because the standard ant make file doesn't. So I ended up adding some Ant task to patch my test website.
Beware if you are going to change the .jar files you also need to restart Tomcat.

Why my included JSP file won't get processed correctly?

I am trying (and learning) to build a java web framework, and in the process of developing its' code generator based on the content of the database. In the view making process, I stumble in a difficulty, which I don't know how to solve it.
Firstly, I want all the pages to be created using the following index.jsp :
<body>
<%# include file="header.jsp" %>
<hr/>
<%# include file="body.jsp" %>
<hr/>
<%# include file="footer.jsp" %>
</body>
And, in the body.jsp, I want it to be like this :
<jsp:include page="${application_modul}" %>
Where application_modul is an attribute defined in its' controller this way :
request.setAttribute("application_modul","user_account\\view_user_account.jsp");
It can find the file correctly, but the processed jsp is not what I expected. Here :
<c:forEach items="[application.models.UserAccountModel#18a49e0, application.models.UserAccountModel#1f82982]" var="item" varStatus="status" >
<tr>
....
You can see the items attribute of jstl forEach, got its variable name (toString())...
Any Idea what the problem is????
I hope I describe my problem correctly
Many thanks!
PS :
I already create a quick fix for this, but not what I want it though. In the generated view_user_account.jsp, I do it like this :
<body>
<%# include file="header.jsp" %>
<hr/>
<c:forEach items="${row}" var="item" varStatus="status" >
<tr>
....
<hr/>
<%# include file="footer.jsp" %>
</body>
You can see that I create the whole file here...
EDITED:
PS : ${row} is an ArrayList populated with data from certain table

So, to summarize your problem in a single sentence, JSTL tags are not been parsed and they end up plain in generated HTML output?
You need to declare JSTL taglib in top of the JSP page where you're using JSTL tags to get them to run. For the JSTL core taglib, that'll be
<%#taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

I am not sure but, Try this...
index.jsp
<jsp:param name="parameterName" value="{parameterValue | <%= expression %>}" />