top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Secure data coming from a WYSIWYG editor

0 votes
595 views

How can I secure data coming from a WYSIWYG editor? I want to allow user to change properties of the text but not to link images or add scripts to his post.
I'll use this feature to allow user to add comment or compile complex pages. I'm not worried about data coming from the editor but data that a malicious user can send me from a modified page.
Does Struts 2 has any interceptor that implements this kind of feature? Does anyone has experience on this task?

posted Jun 26, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

Out of there, there are a lot of WYSWYG editors (like CKEditor) which allow to define the list of the supported tags.

For what concerns the server side aspect, I'd suggest you JSOUP. It allows to clean the HTML submitted by the user [ http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer ].

Also, have a look at hdiv [ http://hdiv.org/ ], IIRC there is a plugin for struts2 which should protect against XSS and other security issues.

answer Jun 26, 2013 by anonymous
Similar Questions
+7 votes

I have an Interceptor that wants to put something in the session after the action has executed.

But if the session doesn't already exist I get an exception:

java.lang.IllegalStateException: Cannot create a session after the response has been committed

How can I determine if the session already exists from within an Interceptor?

 public String doIntercept(ActionInvocation invocation) throws Exception
 {
 String result = invocation.invoke();
 Map session = invocation.getInvocationContext().getSession();
 session.put(key, value); // throws exception if session doesn't exist
 return result;
 }
+1 vote

I am creating an ajax call for a method which is protected by the TokenSessionStoreInterceptor. This means I need to pass the token onto the request.

I was expecting the s:token tag to accept data-foo="bar" attributes (they'd be passed along to the corresponding hidden elements), but this is not happening (I'd use this so I could retrieve the inputs with a
simple jquery select .find(":input[data-scope='save'], which retrieves me all the needed inputs as long as I mark them with that data-scope ).

My 2nd attempt was also unsuccessful - while doesn't break rendering, the class is not passed onto the hidden input elements.

Is there a reason for this? While in the case of data-foo this seems to be a missing feature, in the case of cssClass it's also misleading - you can set the property, but it doesn't have any consequence.

+1 vote

We are in the beginning of the migration to struts2 and it seems like there will be some period when both frameworks will be active at the same time..the only problem now is accessing the session beans managed by struts2 in struts1 and vice-versa form beans from strut1 mapped in struts2 . Half of the jsp would use struts1 tags and other half struts2 tags. So there should be beans instantiated in both frameworks.

Probably struts2 bean can be injected to struts1 action with struts1 form still accessible as execute() argument, but what about other way? accessing struts1 form bean (not just data, but managed bean) in struts2 execute() ?

0 votes

I have encountered this issue a couple of times, always found a way to code around but now I really need to ask:

Can struts create lists/arrays (or whatever collection) when e.g. using

public class MyAction extends ActionSupport {
 public List getChoices() {
 ....
 }
 ....
 public List getPreSelectedChoices() {
 // returns a list of Choice.getKey(), which is a String
 ....
 }
 }

 public class Choice {
 public String getKey() { ...}
 public String getDisplayName() { ... }
 ....
 }

The selected values are sent to

public void setMyChoice(String myChoice){
 ...
}

correct? There is no way something like

public void setMyChoice(String[] myChoice){
 ...
}

works in struts?

If not, whats the common way to get the values back from the String myChoice? Use Split on it?

0 votes

In the context of an tag, for instance for a login action, we previously always coded forms as :

 ....

And in the struts.xml we have been using :

content.login
 content.menu
 summary_input
 welcome

This has worked in the past and allowed us to not only use the action="login" to target the execute method of the action, but also to build links to, for instance, login_checkStatus.action to target other, specific methods within the action. I am not sure this Is a common/best practice, I had no prior struts2 experience before joining this company and this is how a lot of the existing functionality is coded. (If this is wrong/there is a better way, please let me know)

Now randomly, this fails to generate the proper action url in the html (it is missing the '.action', which results in a 404 once you post the form)

The only workaround we have found so far is to add the '.action' suffix to the
s:form's action attribute. Before it was always added for us by struts.

So now we are having success with

 ...

I can only assume that this has been affected by the changes related to S2-015 and the wildcard action matching.

...