473,513 Members | 2,752 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Avoid Cross Site Scripting

52 New Member
I am using Tomcat 6.2 Application Server. Applications designed in MVC2 Architecture (JSP,Servlet,DAO) are running on this server. Now on my feedback form someone posted like a script
<script>alert('test')</script>.
Since 10 Applications are running on my Tomcat, I am expecting a solution related to patteren matching to avoid this at the web.xml level.
Please help me out to resolve this problem.

Thanks & Regards
Dec 17 '09 #1
1 2232
chaarmann
785 Recognized Expert Contributor
It's called "malicious code insertion" this "someone" was doing to detect dirty coding, and you are lucky that he was only testing instead of doing damage.
You should learn from it to validate ALL your input properly.

Especially if you write some text to a webpage, you should make sure that it is really only simple text and not some HTML.
That means, check for and replace:
- HTML-tags: replace all "<" and ">" in your output with "&lt" and "&gt"
- HTML character entity references or numeric character references: replace all "&" with "&amp;", so that for example "company C&A" is not displayed as "company C" or company A&LtO" is not displayed as "company A<O" and so on.

By the way, if you write the stuff to a database as SQL-statement, you should also replace single quotation marks, or Mr. "someone" will delete your whole database and steal all your passwords with a malicious SQL-code insertion ...
Dec 17 '09 #2

Sign in to post your reply or Sign up for a free account.

Similar topics
7
1949
Cross Site Scipting
by: Venkat | last post by:
Hi All, I would like to about Cross Site Scripting. I googled XSS and got the point what it is but didn't get how it is achieved. Can someone describe me with an example how an hacker does it....
Javascript
7
5075
Cross-Domain scripting solution
by: CJD | last post by:
Hello, I want to create a server-side object that tracks the clicks of a user while they do a task in a browser. The tasks would take place on external web sites. Since there does not seem to be...
Javascript
7
3893
Cross-Site Scripting...
by: Scott M. | last post by:
How can I disable the cross-site scripting check for one particular page of a site?
ASP.NET
0
1149
Allow HTML input in form field WITH Cross-Site scripting security
by: Earl Teigrob | last post by:
I want to allow users to input html (via a rich text box) or directly, into a form field, save it in a data store and then output that html to the browser, but not allow cross-site scripting. ...
ASP.NET
2
3003
workaround for cross-site scripting in AJAX
by: ra90812 | last post by:
Can someone tell me how to do cross-site scripting in AJAX. any help would be highly appreciated. Thanks, Rajesh
Javascript
11
4246
IE "Mark of the Web" cross-frame scripting?
by: taoberly | last post by:
A few months ago I posted a question about using a file on my hard drive to perform cross-frame scripting and pull data from a server on my company's intranet. I eventually got this working using...
Javascript
4
2149
Cross Domain Scripting with Friendly Domains
by: Jacob JKW | last post by:
Having read the CLJ FAQ and having done extensive Googling, I do understand that in in general cross-domain iframe scripting is not permitted. One issue I have not seen directly addressed, however,...
Javascript
0
1217
circumventing internet explorer's cross-frame scripting
by: KZSteele | last post by:
(repost/edit from html forum) hello - i am using VBA within a microsoft access project to automate internet explorer. what i am doing is reading data from various frames of my company's web...
Visual Basic 4 / 5 / 6
0
1262
circumventing IE's cross-domain scripting security LOCALLY
by: KZSteele | last post by:
(repost/edit from html forum) hello - i am using VBA within a microsoft access project to automate internet explorer. what i am doing is reading data from various frames of my company's web...
Java
0
7257
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7379
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
7535
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
1
7098
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
1
5084
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
4745
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
3221
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
0
1591
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp
0
455
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us