CrazyEngineers
  • Help:How to avoid CSS attacks in strut2

    Updated: Oct 25, 2024
    Views: 1.2K
    Hi All,
    Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml?

    If anyone knows how to display <script>alert(*some message*)</script> as it is in jsp pages from the database,will also work.

    Its urgent guys !!! Please help..
    0
    Replies
Howdy guest!
Dear guest, you must be logged-in to participate on CrazyEngineers. We would love to have you as a member of our community. Consider creating an account or login.
Replies
  • shalini_goel14

    MemberNov 26, 2008

    More specific :CSS Attacks are cross-site scripting attacks.If I have a html page with following code:
    [CODE ]

    <html>
    <head>
    <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <title></title>
    <body>
    <table>
    <tr>
    <td><script>alert("Hi");</script></td>
    </tr>
    </table>
    </body>
    </html>

    [ /CODE ]

    OUTPUT: It displays an alert box with Message("Hi") in it instead of actually displaying the text in a table.

    Anyone has any idea how to avoid it???
    Are you sure? This action cannot be undone.
    Cancel
  • shalini_goel14

    MemberNov 27, 2008

    Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml?
    Hi All,

    I got the solution for this.

    FYI,
    No need of changing anything in struts.xml file,<s😛roperty> tag of struts2 automatically prevents CSS attacks.Just replace your expression language with <s😛roperty> tag in your jsp page.
    Ex. If I have use ${employeeName} in my jsp page ,replace it with <s😛roperty value="employeeName"/> .It works

    My problem is solved.Thanks for those who tried :smile:.

    But still following is unsolved?? Give a try for this:

    More specific :CSS Attacks are cross-site scripting attacks.If I have a html page with following code:
    <html>
    <head>
    <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <title></title>
    <body>
    <table>
    <tr>
    <td><script>alert("Hi");</script></td>
    </tr>
    </table>
    </body>
    </html>
    
    
    OUTPUT: It displays an alert box with Message("Hi") in it instead of actually displaying the text in a table.

    Anyone has any idea how to avoid it???
    Are you sure? This action cannot be undone.
    Cancel
  • Kaustubh Katdare

    AdministratorNov 27, 2008

    Shalini - thanks for sharing the answer. Moving the thread to CS section.
    Are you sure? This action cannot be undone.
    Cancel
  • shalini_goel14

    MemberNov 27, 2008

    shalini_goel14
    Hi All,

    I got the solution for this.

    FYI,
    No need of changing anything in struts.xml file,<s😛roperty> tag of struts2 automatically prevents CSS attacks.Just replace your expression language with <s😛roperty> tag in your jsp page.
    Ex. If I have use ${employeeName} in my jsp page ,replace it with <s😛roperty value="employeeName"/> .It works

    My problem is solved.Thanks for those who tried :smile:.

    But still following is unsolved?? Give a try for this:

    Oops !! 😳 .
    Replace ,<s😛roperty> with <s: property> in previous mail to view properly
    Are you sure? This action cannot be undone.
    Cancel
  • Kaustubh Katdare

    AdministratorNov 27, 2008

    There is an option to 'disable smilies' in advance editing mode 😀
    Are you sure? This action cannot be undone.
    Cancel
  • shalini_goel14

    MemberNov 27, 2008

    Oh ..Thanks for the info., I was not aware of it.I will take care of it in future.😀
    Are you sure? This action cannot be undone.
    Cancel
Home Channels Search Login Register