wood burning stoves 2.0*
The moose likes Servlets and the fly likes Include HTML as static resource Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Include HTML as static resource" Watch "Include HTML as static resource" New topic

Include HTML as static resource

David O'Meara

Joined: Mar 06, 2001
Posts: 13459

We need to allow remote clients to upload and insert HTML snippets (as html files) into pages in their application, but from memory using a RequestDispatcher would cause the HTML to be executed as a JSP and may allow this to be used as a way to inject code into our application. Not really my aim.
I can read the file and insert the data as a String, but my feeling is this will be heavier than I want, but may be necessary.
For the record the HTML will be relatively small (less than 50k) and unlikely to change.
There will only be one such fragment included in any JSP page.

Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 60780

Is your aim for the fragments to be browser-cacheable? Or are you just trying to protect against JSP injection attacks? Bear in mind that you'll need to worry about JavaScript injection as well.

Rather than "real" HTML would a sub-setted substitute like UBB codes do? Or do you really need "cleansed" HTML?

[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Jeanne Boyarsky
internet detective

Joined: May 26, 2003
Posts: 30116

Are they able to include JavaScript or just HTML? JavaScript can cause security issues too.

If it's just HTML, I think reading it as a String and only allowing certain characters is what I would do.

Another alternative I can think of is to use an iframe for the user's section. That way the iframe can be served as straight HTML and not through a servlet/JSP.

[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Alok Kushwah
Ranch Hand

Joined: Jul 10, 2007
Posts: 31
If I got it correct, you want make user able to upload the content to the site. Content would be visble to user in some website (may be same website also).

My suggestions

1. Security
- To avoid cross site script don't allow javascript in uploading HTML. You have to parse the whole stream for it ans strip off unwanted tag and javascript code.
- Don't allow user to use iframe or layer which allows to show other sites conatent in your site.
- Put the file in the place where it would not be accessible directly. Like DB or outside context folder or inside web-inf. But in case if you want access through iframe, it must be accessible from browser. See second point for iframe solution. This is to prevent user to upload JSP and execute it.

2. For effeciency
- To increase the seconday memory uitilization compress the file at server side. In this case you have to decompress the file to server it back.
- To increase the serving time you can keep the file in file system and include it at server end in case file.
- Iframe is good solution only in case uploaded file is somehow accessible directly from browser. You can create a servlet like "getContentFile.do?fileKey=abcshsajsd" to access the uploaded file from anywhere.
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

The problem is that there is an application on the client machine that outputs a simple image gallery, and we use an Applet based upload manager to pick up the gallery file and images and arrange them on the server.
We can restrict the file names to JPG and HTML files, that of course that doesn't necessarily protect against security issues.
This will only b allowed by administrators so JavaScript injection is less of a worry, but I need to focus on possible inclusion of content that could compromise our servers.
The Tomcat instances run as a non-privileged user, but that would still allow an amount of mischief.

It needs to be included into a JSP (rather than served as an HTML file) as it gets dynamic header and footers added...

We use OSCache, so I can look at caching the String data (if it becomes necessary) and writing this directly to the JSP.
Alok Kushwah
Ranch Hand

Joined: Jul 10, 2007
Posts: 31
Do you want include the images generated by client program or some HTML files? Including images is very differnt then including text content in JSP. Are you uploading image files and want to show them in JSP?
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

Yes. In the end I had to detect *.html and *.jpg and handle them separately. Thankfully there are only the two file types, and they easy to detect.
I should admin that initially I was trying to include the JPG image as HTML text before realising my mistake.
Alok Kushwah
Ranch Hand

Joined: Jul 10, 2007
Posts: 31
Please see my previous comment about uploading, processing, Saving and then serving uploaded documents.

To include html or static text you can use following server side jsp tag

<jsp:include page="{relativeURL | <%= expression %>}" flush="true|false" />

I already talked about inframes etc other ways of displaying these text.
However you cannot use static include in this case <%@include%>

To include image use following HTML tag

<img src=<%=expression%>/>

(You can create a servlet like "getContentFile.do?fileKey=abcshsajsd" to access the uploaded file from anywhere.)

jQuery in Action, 2nd edition
subject: Include HTML as static resource
Similar Threads
How do i set a value in a jsp and get the same value in a servlet?
JavaScript in JSPs using struts tag libraries
RMI on a Servlet
Tomcat alone vs Apache/Tomcat
Can I use JavaScript inside a JSP page?