Hi team,
For those field that allow user to key in special character need to have extra handling.
Example CustomerCategory.description that allow to key in Special Character.
How i know description is allow to key in special character?
You may compare customerCatory.name and customerCategory.description in CustomerCategoryAction
@Validate(field = "name", on = { "insert", "update" }, required = true, maxlength = 50, mask = "[a-zA-Z0-9-/ ]+"),
@Validate(field = "description", on = { "insert", "update" }, required = true, maxlength = 100) })
private CustomerCategory customerCategory;
Obviously field =name have the property mask to disallow special character keyed in.
Below are code snapshot for how to handle XSS.
1) Add the true for escapeXml in sx:row to prevent this field vulnerable on XSS attack.
File:
errorMessage_detail.jsp
and
transactionCode_detail.jsp
old code:
<sx:row key="errorMessage.message"><s:textarea name="errorMessage.message" /></sx:row>
new code:
<sx:row key="errorMessage.message" escapeXml="true"><s:textarea name="errorMessage.message" /></sx:row>
2) Add the true for escapeXml in d:column to prevent this field vulnerable on XSS attack.
File:
authorizationBatch_list.jsp
and
search_result.jsp
old code:
<d:column titleKey="errorMessage.message" property="message" />
new code:
<d:column titleKey="errorMessage.message" property="message" escapeXml="true" />
Use
3)
<c:out value="${row.description}" escapeXml="true"></c:out>
instead of direct out output
${row.description}
See CibSupportCenterWeb\WebContent\WEB-INF\pages\parameter\messageBroadcast_list.jsp
