• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Struts XSS and SQL Injection vulnerabilities

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

Does anyone there knows how struts handle XSS and SQL Injection vulnerabilities.
I mean what are the classes which handle these vulnerabilities.
 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's a design change not a class you just call.

SQL Injection - make sure you are always using prepared statements and passing in all user values via parameters

XSS - make sure you are escaping user content on submission or on rendering. Struts does provide some protection in their tags. I recall seeing it extended, so I don't know how complete it is.
 
Rajan Vij
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is tags the only way to avoid XSS ?

I have implimented a filter using that I have escaped the user content from the request and I have also used prepared and callable stmts to avoid SQL Injection.

But filters reduces the performance and so just wanted to know how it has been implemented in struts releases where they have taken care of such vulnerabilities. So that I could use a performance based code.



 
Jeanne Boyarsky
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not the filter reducing the performance; it's the search/replace. Any solution is going to need to do that. Luckily, it reduces the performance by such a tiny percentage compared to the database call that it's a non-issue.
 
reply
    Bookmark Topic Watch Topic
  • New Topic