Help:How to avoid CSS attacks in strut2

shalini_goel14

shalini_goel14

@shalini-goel14-ASmC2J Oct 25, 2024
Hi All,
Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml?

If anyone knows how to display <script>alert(*some message*)</script> as it is in jsp pages from the database,will also work.

Its urgent guys !!! Please help..
Like 0 Replies 6

Replies

Welcome, guest

Join CrazyEngineers to reply, ask questions, and participate in conversations.

Sign up Log in

CrazyEngineers powered by Jatra Community Platform

  • shalini_goel14

    shalini_goel14

    @shalini-goel14-ASmC2J Nov 26, 2008

    More specific :CSS Attacks are cross-site scripting attacks.If I have a html page with following code:
    [CODE ]

    <html>
    <head>
    <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <title></title>
    <body>
    <table>
    <tr>
    <td><script>alert("Hi");</script></td>
    </tr>
    </table>
    </body>
    </html>
    [ /CODE ]

    OUTPUT: It displays an alert box with Message("Hi") in it instead of actually displaying the text in a table.

    Anyone has any idea how to avoid it???
    0
  • shalini_goel14

    shalini_goel14

    @shalini-goel14-ASmC2J Nov 27, 2008

    Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml?
    Hi All,

    I got the solution for this.

    FYI,
    No need of changing anything in struts.xml file,<s😛roperty> tag of struts2 automatically prevents CSS attacks.Just replace your expression language with <s😛roperty> tag in your jsp page.
    Ex. If I have use ${employeeName} in my jsp page ,replace it with <s😛roperty value="employeeName"/> .It works

    My problem is solved.Thanks for those who tried :smile:.

    But still following is unsolved?? Give a try for this:

    More specific :CSS Attacks are cross-site scripting attacks.If I have a html page with following code:
    <html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<title></title>
<body>
<table>
<tr>
<td><script>alert("Hi");</script></td>
</tr>
</table>
</body>
</html>
    OUTPUT: It displays an alert box with Message("Hi") in it instead of actually displaying the text in a table.

    Anyone has any idea how to avoid it???
    0
  • Kaustubh Katdare

    Kaustubh Katdare

    @thebigk Nov 27, 2008

    Shalini - thanks for sharing the answer. Moving the thread to CS section.
    0
  • shalini_goel14

    shalini_goel14

    @shalini-goel14-ASmC2J Nov 27, 2008

    shalini_goel14
    Hi All,

    I got the solution for this.

    FYI,
    No need of changing anything in struts.xml file,<s😛roperty> tag of struts2 automatically prevents CSS attacks.Just replace your expression language with <s😛roperty> tag in your jsp page.
    Ex. If I have use ${employeeName} in my jsp page ,replace it with <s😛roperty value="employeeName"/> .It works

    My problem is solved.Thanks for those who tried :smile:.

    But still following is unsolved?? Give a try for this:

    Oops !! 😳 .
    Replace ,<s😛roperty> with <s: property> in previous mail to view properly
    0
  • Kaustubh Katdare

    Kaustubh Katdare

    @thebigk Nov 27, 2008

    There is an option to 'disable smilies' in advance editing mode 😀
    0
  • shalini_goel14

    shalini_goel14

    @shalini-goel14-ASmC2J Nov 27, 2008

    Oh ..Thanks for the info., I was not aware of it.I will take care of it in future.😀
    0