Help:How to avoid CSS attacks in strut2

shalini_goel14 · 2008-11-26T01:01:18+00:00

Hi All, Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml? If anyone knows how to display <script>alert(*some message*)</script> as it is in jsp pages from the database,will also work. Its urgent guys !!! Please help..

Help:How to avoid CSS attacks in strut2

shalini_goel14

Member

Updated: Oct 25, 2024

Views: 1.2K

Hi All,
Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml?

If anyone knows how to display <script>alert(*some message*)</script> as it is in jsp pages from the database,will also work.

Its urgent guys !!! Please help..

0

Replies

Howdy guest!

Dear guest, you must be logged-in to participate on CrazyEngineers. We would love to have you as a member of our community. Consider creating an account or login.

Replies

shalini_goel14

Member • Nov 26, 2008

More specific :CSS Attacks are cross-site scripting attacks.If I have a html page with following code:
[CODE ]

<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<title></title>
<body>
<table>
<tr>
<td><script>alert("Hi");</script></td>
</tr>
</table>
</body>
</html>

[ /CODE ]

OUTPUT: It displays an alert box with Message("Hi") in it instead of actually displaying the text in a table.

Anyone has any idea how to avoid it???

Are you sure? This action cannot be undone.
Cancel
shalini_goel14

Member • Nov 27, 2008
Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml?
Hi All,

I got the solution for this.

FYI,
No need of changing anything in struts.xml file,<s😛roperty> tag of struts2 automatically prevents CSS attacks.Just replace your expression language with <s😛roperty> tag in your jsp page.
Ex. If I have use ${employeeName} in my jsp page ,replace it with <s😛roperty value="employeeName"/> .It works

My problem is solved.Thanks for those who tried :smile:.

But still following is unsolved?? Give a try for this:
More specific :CSS Attacks are cross-site scripting attacks.If I have a html page with following code:
```
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<title></title>
<body>
<table>
<tr>
<td><script>alert("Hi");</script></td>
</tr>
</table>
</body>
</html>
```
OUTPUT: It displays an alert box with Message("Hi") in it instead of actually displaying the text in a table.

Anyone has any idea how to avoid it???
Are you sure? This action cannot be undone.
Cancel
Kaustubh Katdare

Administrator • Nov 27, 2008

Shalini - thanks for sharing the answer. Moving the thread to CS section.

Are you sure? This action cannot be undone.
Cancel
shalini_goel14

Member • Nov 27, 2008

shalini_goel14
Hi All,

I got the solution for this.

FYI,
No need of changing anything in struts.xml file,<s😛roperty> tag of struts2 automatically prevents CSS attacks.Just replace your expression language with <s😛roperty> tag in your jsp page.
Ex. If I have use ${employeeName} in my jsp page ,replace it with <s😛roperty value="employeeName"/> .It works

My problem is solved.Thanks for those who tried :smile:.

But still following is unsolved?? Give a try for this:

Oops !! 😳 .
Replace ,<s😛roperty> with <s: property> in previous mail to view properly

Are you sure? This action cannot be undone.
Cancel
Kaustubh Katdare

Administrator • Nov 27, 2008

There is an option to 'disable smilies' in advance editing mode 😀

Are you sure? This action cannot be undone.
Cancel
shalini_goel14

Member • Nov 27, 2008

Oh ..Thanks for the info., I was not aware of it.I will take care of it in future.😀

Are you sure? This action cannot be undone.
Cancel