Reputation: 7887
Struts 2 - is there any way to escape HTML in input fields?
When I allow a user to enter text using s:textfield, he can enter something like <b>Name</b> or something like \Me/. I want that these should be escaped before I am saving them to the database. When we retrieve them, the escaping is done automatically, but I want it to happen also when we are saving it.
I was trying to return a json output from my action class, but due to a name \a/ stored in my database, wrong json was being formed. This would have been avoided if the name had been escaped before being saved into the database.
Upvotes: 0
Views: 2202
Answers (2)
Reputation: 6079
@Daud, The problem you explained is called Cross site scripting or XSS. And I think you should use Filters to clean the request parameters. This is the most sophisticated way. You can call these filters for the actions which are posting some parameters via request.
Visit my blog to see how to avoid XSS threat using Filter approach.
I also faced this issue when our project was tested by well known firm specializing in security testing and they suggested this filter approach.
You can give it a try.
Upvotes: 1
Reputation: 19356
You can use StringEscapeUtils. You can call escapeJavascript(textfield) in your action and then store it into the database.
Upvotes: 2
Related Questions
- How to use HTML5 input types in JSP using Struts2 tags
- escapeHTML with Struts2 <s:textarea /> tag
- Escape string using Struts2 tags
- HTML Quote Escaping in Struts2 jsp
- How to unescape HTML in Struts2
- Struts 2 escape html doesn't work?
- Can i use html tags in struts2 form?
- How do I use an HTML escape character in the label of a Struts2 text field?
- Struts2 Property tag default escape property
- Struts 2 encode input parameters to avoid XSS