shalini_goel14
shalini_goel14
Branch Unspecified
26 Nov 2008

Help:How to avoid CSS attacks in strut2

Hi All,
Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml?

If anyone knows how to display <script>alert(*some message*)</script> as it is in jsp pages from the database,will also work.

Its urgent guys !!! Please help..
shalini_goel14

shalini_goel14

Branch Unspecified
27 Nov 2008
More specific :CSS Attacks are cross-site scripting attacks.If I have a html page with following code:
[CODE ]

<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<title></title>
<body>
<table>
<tr>
<td><script>alert("Hi");</script></td>
</tr>
</table>
</body>
</html>

[ /CODE ]

OUTPUT: It displays an alert box with Message("Hi") in it instead of actually displaying the text in a table.

Anyone has any idea how to avoid it???
shalini_goel14

shalini_goel14

Branch Unspecified
27 Nov 2008
Is any one here having any idea of how to do content-encoding in struts by simply changing only struts.xml?
Hi All,

I got the solution for this.

FYI,
No need of changing anything in struts.xml file,<s😛roperty> tag of struts2 automatically prevents CSS attacks.Just replace your expression language with <s😛roperty> tag in your jsp page.
Ex. If I have use ${employeeName} in my jsp page ,replace it with <s😛roperty value="employeeName"/> .It works

My problem is solved.Thanks for those who tried :smile:.

But still following is unsolved?? Give a try for this:

More specific :CSS Attacks are cross-site scripting attacks.If I have a html page with following code:
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<title></title>
<body>
<table>
<tr>
<td><script>alert("Hi");</script></td>
</tr>
</table>
</body>
</html>

OUTPUT: It displays an alert box with Message("Hi") in it instead of actually displaying the text in a table.

Anyone has any idea how to avoid it???
27 Nov 2008
Shalini - thanks for sharing the answer. Moving the thread to CS section.
shalini_goel14

shalini_goel14

Branch Unspecified
27 Nov 2008
shalini_goel14
Hi All,

I got the solution for this.

FYI,
No need of changing anything in struts.xml file,<s😛roperty> tag of struts2 automatically prevents CSS attacks.Just replace your expression language with <s😛roperty> tag in your jsp page.
Ex. If I have use ${employeeName} in my jsp page ,replace it with <s😛roperty value="employeeName"/> .It works

My problem is solved.Thanks for those who tried :smile:.

But still following is unsolved?? Give a try for this:

Oops !! 😳 .
Replace ,<s😛roperty> with <s: property> in previous mail to view properly
27 Nov 2008
There is an option to 'disable smilies' in advance editing mode 😀
shalini_goel14

shalini_goel14

Branch Unspecified
27 Nov 2008
Oh ..Thanks for the info., I was not aware of it.I will take care of it in future.😀

Share this content on your social channels -

Only logged in users can reply.