Include HTML as static resource

We need to allow remote clients to upload and insert HTML snippets (as html files) into pages in their application, but from memory using a RequestDispatcher would cause the HTML to be executed as a JSP and may allow this to be used as a way to inject code into our application. Not really my aim.
I can read the file and insert the data as a String, but my feeling is this will be heavier than I want, but may be necessary.
For the record the HTML will be relatively small (less than 50k) and unlikely to change.
There will only be one such fragment included in any JSP page.

Opinions?

Is your aim for the fragments to be browser-cacheable? Or are you just trying to protect against JSP injection attacks? Bear in mind that you'll need to worry about JavaScript injection as well.

Rather than "real" HTML would a sub-setted substitute like UBB codes do? Or do you really need "cleansed" HTML?

Dave,
Are they able to include JavaScript or just HTML? JavaScript can cause security issues too.

If it's just HTML, I think reading it as a String and only allowing certain characters is what I would do.

Another alternative I can think of is to use an iframe for the user's section. That way the iframe can be served as straight HTML and not through a servlet/JSP.

If I got it correct, you want make user able to upload the content to the site. Content would be visble to user in some website (may be same website also).

My suggestions

1. Security
- To avoid cross site script don't allow javascript in uploading HTML. You have to parse the whole stream for it ans strip off unwanted tag and javascript code.
- Don't allow user to use iframe or layer which allows to show other sites conatent in your site.
- Put the file in the place where it would not be accessible directly. Like DB or outside context folder or inside web-inf. But in case if you want access through iframe, it must be accessible from browser. See second point for iframe solution. This is to prevent user to upload JSP and execute it.

2. For effeciency
- To increase the seconday memory uitilization compress the file at server side. In this case you have to decompress the file to server it back.
- To increase the serving time you can keep the file in file system and include it at server end in case file.
- Iframe is good solution only in case uploaded file is somehow accessible directly from browser. You can create a servlet like "getContentFile.do?fileKey=abcshsajsd" to access the uploaded file from anywhere.

The problem is that there is an application on the client machine that outputs a simple image gallery, and we use an Applet based upload manager to pick up the gallery file and images and arrange them on the server.
We can restrict the file names to JPG and HTML files, that of course that doesn't necessarily protect against security issues.
This will only b allowed by administrators so JavaScript injection is less of a worry, but I need to focus on possible inclusion of content that could compromise our servers.
The Tomcat instances run as a non-privileged user, but that would still allow an amount of mischief.

It needs to be included into a JSP (rather than served as an HTML file) as it gets dynamic header and footers added...

We use OSCache, so I can look at caching the String data (if it becomes necessary) and writing this directly to the JSP.

Do you want include the images generated by client program or some HTML files? Including images is very differnt then including text content in JSP. Are you uploading image files and want to show them in JSP?

Yes. In the end I had to detect *.html and *.jpg and handle them separately. Thankfully there are only the two file types, and they easy to detect.
I should admin that initially I was trying to include the JPG image as HTML text before realising my mistake.

Please see my previous comment about uploading, processing, Saving and then serving uploaded documents.

To include html or static text you can use following server side jsp tag

<jsp:include page="{relativeURL | <%= expression %>}" flush="true|false" />

I already talked about inframes etc other ways of displaying these text.
However you cannot use static include in this case <%@include%>

To include image use following HTML tag

<img src=<%=expression%>/>

(You can create a servlet like "getContentFile.do?fileKey=abcshsajsd" to access the uploaded file from anywhere.)