Examples of hirondelle.web4j.security.SafeText

• hirondelle.web4j.security.SafeText
  wasp.org/index.php/Cross_Site_Scripting'>Cross Site Scripting (XSS).

  Free-form text refers to text entered by the end user. It differs from other data in that its content is not tightly constrained. Examples of free-form text might include a user name, a description of something, a comment, and so on. If you model free-form text as a simple String, then when presenting that text in a web page, you must take special precautions against Cross Site Scripting attacks, by escaping special characters. When modeling such data as SafeText, however, such special steps are not needed, since the escaping is built directly into its {@link #toString} method.

  It is worth noting that there are two defects with JSTL' s handling of this problem :

  • the {@code } tag escapes only 5 of the 12 special characters identifiedby the Open Web App Security Project as being a concern.
  • used in a JSP, the Expression Language allows pleasingly concise presentation, but does not escape special characters in any way. Even when one is aware of this, it is easy to forget to take precautions against Cross Site Scripting attacks.

  Using SafeText will protect you from both of these defects. Since the correct escaping is built into {@link #toString}, you may freely use JSP Expression Language, without needing to do any escaping in the view. Note that if you use {@code } with SafeText (not recommeded), then you must use escapeXml='false' to avoid double-escaping of special characters.

  There are various ways of presenting text :

  • as HTML (most common) - use {@link #toString()} to escape a large number of special characters.
  • as XML - use {@link #getXmlSafe()} to escape 5 special characters.
  • as JavaScript Object Notation (JSON) - use {@link #getJsonSafe()} to escape a number of special characters
  • as plain text - use {@link #getRawString()} to do no escaping at all.

  Checking For Vulnerabilities Upon Startup

  WEB4J will perform checks for Cross-Site Scripting vulnerabilities upon startup, by scanning your application's classes for public Model Objects having public getXXX methods that return a String. It will log such occurrences to encourage you to investigate them further.

  Design Notes :
  This class is final, immutable, {@link Serializable}, and {@link Comparable}, in imitation of the other building block classes such as {@link String}, {@link Integer}, and so on.

  The reason why protection against Cross-Site Scripting is not implemented as a Servlet Filter is because a filter would have no means of distinguishing between safe and unsafe markup.

  One might object to escaping special characters in the Model, instead of in the View. However, from a practical point of view, it seems more likely that the programmer will remember to use SafeText once in the Model, than remember to do the escaping repeatedly in the View.

  private void testEqualsFor(Visit aVisit, String aId, String aRestoId, Date aDate, String aComment) {
    Visit testVisit = null;
    Id visitId = (aId != null ? Id.from(aId) : null);
    try {
      testVisit = new Visit(visitId, Id.from(aRestoId), aDate, new SafeText(aComment));
    }
    catch (ModelCtorException ex) {
      throw new RuntimeException(ex);
    }
    // log("aVisit: " + aVisit);

  private void testNotEqualsFor(Visit aVisit, String aId, String aRestoId, Date aDate,
  String aComment) {
    Visit testVisit = null;
    Id visitId = (aId != null ? Id.from(aId) : null);
    try {
      testVisit = new Visit(visitId, Id.from(aRestoId), aDate, new SafeText(aComment));
    }
    catch (ModelCtorException ex) {
      throw new RuntimeException(ex);
    }
    // log("A: " + aVisit);

  }

  /** Create a {@link User} from user input. */
  protected void validateUserInput() {
    try {
      SafeText userName = getParam(USER_NAME);
      fUser = User.forNewUserOrPasswordReset(userName);
    }
    catch (ModelCtorException ex){
      addError(ex);
    }

    throw new UnsupportedOperationException();
  }

  /** Fetch a {@link UserRole}, in preparation for editing it. */
  protected void attemptFetchForChange() throws DAOException {
    SafeText name = getParam(NAME);
    UserRole userRole = fRoleDAO.fetch(name);
    if( userRole == null ){
      addError("Item no longer exists. Likely deleted by another user.");
    }
    else {

  @Override public ResponsePage execute() throws AppException {
    ResponsePage result = getResponsePage();
    List<Prediction> predictions = fDAO.list(getIdParam(LIST_ID));
    if( ! predictions.isEmpty() ) {
      addToRequest(ITEMS_FOR_LISTING, predictions);
      SafeText title = getPredictionListTitle();
      addToRequest("title", title);
      addToRequest("averageScore", Prediction.calculateAverageScore(predictions));
      result = getResponse(title.getRawString());
    }
    else {
      //if user puts in an arbitrary list id, it will likely not exist
      addMessage("No list of predictions found.");
    }

    return TemplatedPage.get(aTitle, "view.jsp", ViewPublicListAction.class);
  }

  private SafeText getPredictionListTitle() throws DAOException {
    PredictionList list = fetchPredictionList();
    SafeText ownerScreenName = list.getUserScreenName();
    SafeText title = fetchPredictionList().getTitle();
    return SafeText.from(ownerScreenName.getRawString() + " - " + title.getRawString());
  }

  }

  public void reactToUserLogin(HttpSession aSession, HttpServletRequest aRequest) throws AppException {
    //SafeText is used here to avoid using String
    //AllowStringAsBuildingBlock is set to NO in web.xml
    SafeText userName = SafeText.from(aRequest.getUserPrincipal().getName());
    fLogger.fine("Adding user preferences to session, for principal name:" + userName);
    PreferencesDAO dao  = new PreferencesDAO();
    try {
      Preferences prefs = dao.fetch(userName);
      fLogger.fine("Adding user id and screen name to session");

   */
  public Integer getOutcomeScore() {
    Integer result = null;
    if (fOutcome != null) {
      //Undecidable items will have the short text as null
      SafeText value = fOutcome.getShortText();
      if( value != null ) {
        result = Integer.valueOf(value.getRawString());
      }
    }
    return result;
  }

      result = id.getRawString();
    }
    else if ( aObject instanceof SafeText ) {
      //The Populate tag will safely escape all such text data.
      //To avoid double escaping, the raw form is returned.
      SafeText safeText = (SafeText)aObject;
      result = safeText.getRawString();
    }
    else {
      result = aObject.toString();
    }
    return result;

      result = null;
    }
    else if (aObject instanceof SafeText){
      //it is odd to extract an identical object like this,
      //but it safely avoids double escaping at the end of this method
      SafeText text = (SafeText) aObject;
      result = text.getRawString();
    }
    else if (aObject instanceof Id){
      Id id = (Id) aObject;
      result = id.getRawString();
    }
    else if (aObject instanceof Code){
      Code code = (Code) aObject;
      result = code.getText().getRawString();
    }
    else if (aObject instanceof String) {
      result = aObject.toString();
    }
    else if ( aObject instanceof DateTime ){
      DateTime dateTime = (DateTime)aObject;
      result = fDateConverter.formatEyeFriendlyDateTime(dateTime, fLocale);
    }
    else if ( aObject instanceof Date ){
      Date date = (Date)aObject;
      result = fDateConverter.formatEyeFriendly(date, fLocale, fTimeZone);
    }
    else if ( aObject instanceof BigDecimal ){
      BigDecimal amount = (BigDecimal)aObject;
      result = getBigDecimalDisplayFormat().format(amount.doubleValue());
    }
    else if ( aObject instanceof Decimal ){
      Decimal money = (Decimal)aObject;
      result = getBigDecimalDisplayFormat().format(money.getAmount().doubleValue());
    }
    else if ( aObject instanceof Boolean ){
      Boolean value = (Boolean)aObject;
      result = getBooleanDisplayText(value);
    }
    else if ( aObject instanceof Integer ) {
      Integer value = (Integer)aObject;
      result = getIntegerReportDisplayFormat().format(value);
    }
    else if ( aObject instanceof Long ) {
      Long value = (Long)aObject;
      result = getIntegerReportDisplayFormat().format(value.longValue());
    }
    else if ( aObject instanceof Locale ) {
      Locale locale = (Locale)aObject;
      result = locale.getDisplayName(fLocale);
    }
    else if ( aObject instanceof TimeZone ) {
      TimeZone timeZone = (TimeZone)aObject;
      result = timeZone.getDisplayName(false, TimeZone.SHORT, fLocale);
    }
    else {
      result = aObject.toString();
    }
    //ensure that all empty results have configured content
    if ( ! Util.textHasContent(result) ) {
      result = fEmptyOrNullText;
    }
    return new SafeText(result);
  }