We need to allow remote clients to upload and insert HTML snippets (as html files) into pages in their application, but from memory using a RequestDispatcher would cause the HTML to be executed as a JSP and may allow this to be used as a way to inject code into our application. Not really my aim.
I can read the file and insert the data as a String, but my feeling is this will be heavier than I want, but may be necessary.
For the record the HTML will be relatively small (less than 50k) and unlikely to change.
There will only be one such fragment included in any JSP page.
If I got it correct, you want make user able to upload the content to the site. Content would be visble to user in some website (may be same website also).
- Don't allow user to use iframe or layer which allows to show other sites conatent in your site.
- Put the file in the place where it would not be accessible directly. Like DB or outside context folder or inside web-inf. But in case if you want access through iframe, it must be accessible from browser. See second point for iframe solution. This is to prevent user to upload JSP and execute it.
2. For effeciency
- To increase the seconday memory uitilization compress the file at server side. In this case you have to decompress the file to server it back.
- To increase the serving time you can keep the file in file system and include it at server end in case file.
- Iframe is good solution only in case uploaded file is somehow accessible directly from browser. You can create a servlet like "getContentFile.do?fileKey=abcshsajsd" to access the uploaded file from anywhere.
The problem is that there is an application on the client machine that outputs a simple image gallery, and we use an Applet based upload manager to pick up the gallery file and images and arrange them on the server.
We can restrict the file names to JPG and HTML files, that of course that doesn't necessarily protect against security issues.
The Tomcat instances run as a non-privileged user, but that would still allow an amount of mischief.
It needs to be included into a JSP (rather than served as an HTML file) as it gets dynamic header and footers added...
We use OSCache, so I can look at caching the String data (if it becomes necessary) and writing this directly to the JSP.
Do you want include the images generated by client program or some HTML files? Including images is very differnt then including text content in JSP. Are you uploading image files and want to show them in JSP?
Yes. In the end I had to detect *.html and *.jpg and handle them separately. Thankfully there are only the two file types, and they easy to detect.
I should admin that initially I was trying to include the JPG image as HTML text before realising my mistake.