tibi stibi

Greenhorn
+ Follow
since May 26, 2008
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by tibi stibi

probably in old struts xml files this line is not there jet:

<param name="excludeParams">dojo\..*,^struts\..*</param>

i had:

<param name="excludeParams">dojo\..*</param>
8 years ago
i can let struts make the objects and than add a mothed encode to encode all the strings. but what happens over a year when some one adds a field and forgets to add the encoding?
so i think its most solid to make a request wrapper so all fields will be default be encoded. if for some reason encoding is not needed or possible than it could be added on an exclude list.
9 years ago
it is like this

1. The user types some input into the form fields in your HTML.

2. That input passes through the internet and finally arrives in your application.

3. Your application then tries to encode that input to remove all security risk.

4. the encoded input (text, urls) are stored into the database

5. an email is constructed with the stored text and urls in it and send out to the customers

6. there is an online version of the same email

step 5 and 6 are done by an email program on which i have no control.
9 years ago
i have a cms system where users can add information which will be stored in the database.
this information will be used in email marketing campaigns.

to be sure there is no security risk i want to encoded all user input. if i can do it with an request wrapper i'm sure all input from all forms will be encoded.

to do that i have added a filter like this:
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
EncodingRequestWrapper wrapper = new EncodingRequestWrapper(request);
chain.doFilter(wrapper, response);
}

which adds my encoding request wrapper around the request.

but when struts creates my objects in the action or when i call getRequst() my wrapper is not used

9 years ago
i wonder if this ever worked.

i myself am trying such a thing. i want to escape user input with a overwritten request.getParam*

9 years ago

David Newton wrote:It's not that they're "incompatible" with JSP 2.0, it's that we don't allow JSP EL expressions in their attributes to avoid a security issue.

Some people just extract the TLD, remove the restriction, and either use that TLD or re-jar it back up. Or, in your case, just use <s:iterator> and skip the JSTL tags, or make sure <c:foreach> puts the iterated value into one of the normal JEE scopes and use an OGNL expression, which will check the scopes as well.



could you post an example of the second option?
i have something like this:

which is ok
now i want to devide the value by 100 (its in cents) i was working on something like this but <%=d %> is not allowed.

15 years ago
hi list,

i have some examples how i can call a stored procedure with hibernate. these are done with namedqyeries.
at the moment is only use annotation and no hibernate files.
is it possible to call something like this:

getHibernateTemplate().find("{?= call TEST(?)}", new Object[] {
name});
which will return a cursor or multiple rows with all the users found with name 'name'.

thanks,

tibi