database - Display BLOB object in Java web project avoiding persistent cross site scripting? -

- April 15, 2011

how display data stored blob object in java web project , avoid persistent cross site scripting vulnerability?

the method respond() in viewdeliveredreportspage.java sends un-validated data web browser on line 2775, can result in browser executing malicious code.

2773 byte[] barray = new byte[bytelen]; 2774 barray = blob.getbytes(1,bytelen); 2775 httpresponse.getoutputstream().write(barray); 2776 } catch (sqlexception e) { 2777 logger.error("error onselectionchanged

before pass data displayed, need escape it. owasp esapi library seems choice. can find here: https://code.google.com/p/owasp-esapi-java/downloads/list

byte[] barray = new byte[bytelen]; barray = blob.getbytes(1,bytelen); //you'll have convert string first - not //familiar java, principal same. string output = esapi.encoder().encodeforhtml(barray); httpresponse.getoutputstream().write(output); } catch (sqlexception e) { logger.error("error onselectionchanged

it's worth reading cheat sheet: https://www.owasp.org/index.php/xss_%28cross_site_scripting%29_prevention_cheat_sheet

Search This Blog

ITEMscalal

database - Display BLOB object in Java web project avoiding persistent cross site scripting? -

Comments

Post a Comment

Popular posts from this blog

java - Date formats difference between yyyy-MM-dd'T'HH:mm:ss and yyyy-MM-dd'T'HH:mm:ssXXX -

unity3d - In a Unity canvas a button and an image hide each other even though they don't overlap -

c# - Get rid of xmlns attribute when adding node to existing xml -