I am using spring 3.1.1. I am trying to HTML encode my incoming request parameters. The call to my JSP page can be made manually by a user passing in a URL from a command line tool or Web browser.
lets assume I have a request as below with request parameter as language http://localhost:8080/testdomain/createaccount.do?language=eng
I want to HTML encode the 'language' request parameter. I have already set a context-param in web.xml to html encoding.
<context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value></context-param>
Specifying the defaultHtmlEscape within the web.xml does not escape the html elements in the request parameter. Doesn't seem to be working? Any suggestions on how to get this working?
If I call the below inside the controller? Would this even help as the parsing must have already been done?
At the specific spring controller for this page, how do I ensure Html encoding before reading the request parameter?
I want to understand options where I can enforce html encoding at the application level and at the page/controller level?
I am trying to generate emails with HTML content. this content has already gone through sanitation so I am not worried in that regard, however when I call:
on the following Razor template:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html> <body> @(new System.Web.HtmlString(Model.EmailContent)) </body></html>
the email that is outputted is HTMl encoded, but I need it decoded. How can I accomplish this?
Preface to avoid the XY problem: I'm trying to convert strings (taken from an Excel spreadsheet) containing HTML entities (of the form &#XXX) to their corresponding characters in preparation for pasting them into a Word document. My plan was to use some code like this:
With Application.ActiveSheet Dim transcript As String transcript = HttpUtility.HtmlDecode(.Cells(i, 13).Text)End With
This code resulted in an "Object required" error, which is pretty vague, so I tried to isolate certain parts of the line and the problem is the
HttpUtility.HtmlDecode call. I can only find documentation for the .NET version, and it seems to suggest my syntax is valid. Alternatively, I saw the following kind of process used in the example on said documentation:
With Application.ActiveSheet Dim transcriptW As New StringWriter HttpUtility.HtmlDecode(.Cells(i, 13).Text, transcriptW)End With
This makes things even worse, as
StringWriter apparently doesn't even exist in Office VBA. So at this point, I've given up on the documentation because it clearly isn't for the language I'm writing in.
Does anyone know what's going on at any stage of my troubleshooting? I appreciate any piece of it being clarified.
Django escapes these characters :
& < > " ', which is sufficient for inserting data in HTML elements. However if you want to set untrusted data in attributes, OWASP recommends escaping a lot more characters:
Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute.
Reason being, it's very easy to miss a quote on an attribute and unquoted attributes can be broken out of with many characters, including
[space] % * + , - / ; < = > ^ and |
Is there a built-in function or a library to achieve this?
P.S. Another blog post worth reading that explains why a broader escape function is needed in some contexts. : http://wonko.com/post/html-escaping
Every time a user posts something containing
< or > in a page in my web application, I get this exception thrown.
I don't want to go into the discussion about the smartness of throwing an exception or crashing an entire web application because somebody entered a character in a text box, but I am looking for an elegant way to handle this.
Trapping the exception and showing
An error has occured please go back and re-type your entire form again, but this time please do not use < doesn't seem professional enough to me.
Disabling post validation (
validateRequest="false") will definitely avoid this error, but it will leave the page vulnerable to a number of attacks.
Ideally: When a post back occurs containing HTML restricted characters, that posted value in the Form collection will be automatically HTML encoded.So the
.Text property of my text-box will be
something & lt; html & gt;
Is there a way I can do this from a handler?