This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I have a text box(on a jsp page) which should enable a free txt input including an HTML tags.
In my customer page, there is an empty <div> that shoud be filled dinamiclly by calling to my servlet.
my servlet should return a text that can be including an HTML tags and this text will be emmbeded in the div and will be formatted as a regular HTML.
in order to retrive this text, I'm giving my customer a text box where he can put his free text(again, including HTML tags) and I store it in the DB.
my problem is, how to give my customer the ability to put his free text with the HTML tags in the text box and in the DB and to avoid security issuse like SQL injection.
SQL injection problems can be handled in the model using techniques as outline in the JDBC forum (using PerparedStatements, for example). Script and HTML injection can be prevented by using the <c:out> JSTL tag when displaying the user-entered values, as <c:out> will properly HTML-encode any markup characters.