Techcrony.info

Spring cross site scripting XSS issues solution

October 9, 2008 at 12:01 am by nitingautam · Filed under Java, Articles

XSS (Cross-site Scripting) is one of the most common vulnerabilities with a web-application. And, it can be exploited by hackers very easily without using any sophisticated tool.

How does it work?
Most web-applications have forms (text-box etc.) to receive input-data from user. So, a web-application may have a input-text-field to get 'user-id'. The hacker may enter anything in it including "JavaScript". If the hacker enters JavaScript (a malicious code), the server may process it, and then return it. In this case, user-id is not authenticated and it is sent as it is on the error page.

If the user's input data is returned as it is, the java-script code may execute. And, hacker wins!!

I am posting solution for Spring…

In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.

At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:

         <context-param>
            <param-name>defaultHtmlEscape</param-name>
            <param-value>true</param-value>
        </context-param>

At page level, it is defined as a tag-declaration. The code is:

Any form-tag, after the above declaration uses html-escape-sequence-encoding.

<spring:htmlEscape defaultHtmlEscape="true" />

Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :

<form:input path="name" htmlEscape="true" />

Depending upon requirement, it can be implemented as global, page or tag level.

I hope this information helps. Please do post your comments

Permalink Comments (5)

How to Delete .SVN folders in Linux and Windows

September 13, 2008 at 6:41 pm by nitingautam · Filed under HowTo, Articles

Hi all,

Yesterday I got a code for study that was actually maintained inside Subversion. The code I get was not a exported copy of subversion, because of this I get a deep hierarchy of code included ".svn" folder in each folder. Now before start working with the code in eclipse it was mandatory for me to remove the .svn folders.

Below I am providing solution for both OS (windows/Linux) to remove these recursive ".svn" folders. Hope you will find helpful.

Do post your comments

Solution under Windows:

Right click on the folder and click Search..

Enter .svn as the filename to search for.

Click “More advanced options” and select:

- Search hidden files and folders

- Search subfolders

Press search button and delete the folders you find appropriate.

Solution under Linux/Unix:

find ./ -name ".svn" | xargs rm -Rf

or

find . -type d -name ‘.svn’ -print0 | xargs -0 rm -rdf

Permalink Comments

How to change Eclipse SVN Plugin Password

March 26, 2008 at 12:50 pm by admin · Filed under Java, Articles

Subclipse does not collect or store username and password credentials when defining a repository. This is because the JavaHL and SVNKit client adapters are intelligent enough to prompt you for this information when they need to — including when your password has changed.

You can also allow the adapter to cache this information and a common question is how do you delete this cached information so that you can be prompted again? We have an open request to have an API added to JavaHL so that we could provide a UI to do this. Currently, you have to manually delete the cache. The location of the cache varies based on the client adapter used.

JavaHL caches the information in the same location as the command line client — in the Subversion runtime configuration area. On Windows this is located in %APPDATA%\Subversion\auth. On Linux and OSX it is located in ~/.subversion/auth. Just find and delete the file with the cached information.

SVNKit caches information in the Eclipse keyring. By default this is a file named .keyring that is stored in the root of the Eclipse configuration folder. Both of these values can be overriden with command line options. To clear the cache, you have to delete the file. Eclipse will create a new empty keyring when you restart.

Permalink Comments (25)

A simple class for converting any Java object to XML string

March 24, 2008 at 4:46 pm by admin · Filed under Java, Articles

In need to save XML representation of your Java object Here is a simple 200-line class that will do this using reflection. But don`t worry, there is some very powerful caching going on, so that the performance will be very good.

// OptimizedReflectionMarshaller.java

package my;

import java.io.IOException;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;

import org.jdom.Document;
import org.jdom.Element;
import org.jdom.output.XMLOutputter;

/*
* This is a utility class that marshals a Java Object into an XML
* String. Originally, this used StringBuffer to build the XML
* String. However, it has been modified from it's original
* version to build the XML with JDOM instead.
*
* @author Kirill at http://www.topxml.com/rbnews/XML/re-2909_A-simple-class-for-converting-any-Java-object-to-XML-string.aspx
*
* @date January 21, 2008 - modified
* @author Jimmy Honeycutt - modified to use JDOM to create XML instead of StringBuffer.

*/
public class OptimizedReflectionMarshaller {
// cache for getters
private static HashMap gettersMap = new HashMap();

// cache for storing info on whether certain class implements Collection
private static HashMap collectionsMap = new HashMap();

   private static final String JAVA = "java.";
   private static final String JAVAX = "javax.";

   private static final Class[] EMPTYPARAMS = new Class[0];

Read the rest of this entry »

Permalink Comments (3)