xssAPI cannot be resolved error in my CQ5 component jsp - xss

Below is the code snippet:
<%#taglib prefix="cq" uri="http://www.day.com/taglibs/cq/1.0" %>
<%#taglib prefix="sling" uri="http://sling.apache.org/taglibs/sling/1.0" %>
<sling:defineObjects />
<cq:defineObjects />
<label class="form_label" for="send_to"><%=xssAPI.encodeForHTML(sendToLabel)%></label>
Even I included global.jsp also still getting compilation error

Which version of CQ5 are you using? If it is CQ 5.4, xssAPI is not available in it when you include global.jsp.
Instead you could use the XSSProtectionService.class to protect from XSS.
The XSSProtectionService can be obtained from sling.getService() and the protectFromXSS() can be used.
final XSSProtectionService xss = sling.getService(XSSProtectionService.class);
xss.protectFromXSS(sendToLabel);

I think the problem is caused by the unknown variable sendToLabel. Use the properties ValueMap to get this property:
<%=xssAPI.encodeForHTML(properties.get("sendToLabel", String.class))%>

Related

Entangle nested property value with livewire's alpine js until first property is not defined

I am trying to get and set datepicker date via livewire and alpine js entangle solution. So when one is updated the other one has been set automatically but I am facing some issues when entangled property is nested one.
The main goal here is to update the bootstrap datepicker component when b2c.birth_date is updated and vice versa, however when page is first loaded and when b2c is not defined yet and it throws this error until b2c itself is not defined.
Alpine js Expression error: Can't get birth_date of null
In below code I have added js condition but this is not proper solution I believe as currentDate in this case is not updated after b2c is defined.
<div id="birthdatepicker-container" class="input-group"
x-data="{currentDate: $wire.get('b2c') ? #entangle('b2c.birth_date') : ''}" x-init="$($refs.input).bootstrapDP('setDate',currentDate)"
>
<span class="input-group-text"><i class="fas fa-calendar-alt"></i></span>
<input wire:ignore id="b2c_birth_date" x-ref="input" class="form-control" type="text"
x-data="{
init() {
$($el).bootstrapDP({
}).on('changeDate',function(e){
$wire.set('b2c.birth_date',e.format());
});
},
}" />
</div>
Please suggest some kind of promise like async thing to update currentDate when b2c.birth_date is defined entirely (anytime via network request. sooner or earlier). Same like how it works nicely when we write wire:model="b2c.birth_date"

syntax error on jsp update validation code

After feeling the update database table form and submitting it I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '?, user_surname=?, email=?, phone_number=?, password=?, confirm_password=? wh...' at line 1. I am using JSP on Apache Netbeans 12.6, Here is my whole validation code.
<%#page contentType="text/html" pageEncoding="UTF-8"%>
<%#page import="java.sql.*,java.util.*" %>
<% Class.forName("com.mysql.cj.jdbc.Driver"); %>
<%
String user_role=request.getParameter("user_role");
String user_name=request.getParameter("user_name");
String user_surname=request.getParameter("user_surname");
String email=request.getParameter("email");
String phone_number=request.getParameter("phone_number");
String password=request.getParameter("password");
String confirm_password=request.getParameter("confirm_password");
Connection con=DriverManager.getConnection("jdbc:mysql://localhost:3306/simsdb","root","");
Statement st=con.createStatement();
int i=st.executeUpdate("update users set user_role=?, user_surname=?, email=?, phone_number=?, password=?, confirm_password=? where user_name=?");
out.println("Updated");
out.print("<br><button type=\"button\">User Management</button>");
%>
I have tried many update validation codes but they just don't update anything at all. As for this code it worked on Delete and Insert so I believe it should work on update also.

How do I get WebGuy->fillField for <input type="email"> in Codeception acceptance test?

In Codeception the fillField works fine when I have
<input type="text" name="email"> but it does not work when <input type="email" name="email">
I have tried with the following code
$I->fillField('input[name=email]', 'user#domain.com');
Also With $I->fillField('email', 'user#domain.com');
But it does not work. I am getting the following error.
ElementNotVisibleException: Element is not currently visible
I have never tested on email field still If it doesn't work, you can choose some work arounds like below: -
(1) Using JS
$I->executeJS('window.document.getElementsByName('email')[0].value='###value###'');
(2) Using low level webdriver code : -
$I->executeInSelenium(function (\Webdriver $webdriver) {
$webdriver->findElement('###XPATH###')->sendKeys(###value###);
});
Again, if you get any Codeception specific issues, please raise them here
I hope it helps.
I got the answer actually, Now I can target any form element by XPATH without running executeInSelenium
So in chrome / firefox I inspect the dom and right-click and copy the xpath,
as an example:
$I->fillField('//*[#id="register-form"]/fieldset/section[3]/div/div/label/input', 'user#domain');
And it works great for other form elements too

Routing Error, receive [Get] instead of [DELETE]

I'm trying to make a link to destroy an row in a table but the problem is that I receive [GET] instead of [DELETE].
Here the error:
No route matches [GET] "/clubs/1/club_accounting/2"
My route is :
club_club_accounting_delete_path
DELETE
/clubs/:club_id/club_accounting/:id(.:format)
club_accounting#delete
My link :
<%= link_to 'Supprimer', club_club_accounting_delete_path(:id => activity.id), method: :delete %>
Any idea ?
The method: :delete option in the link_to helper adds the attribute data-method="delete" to the resultant <a> tag. This is then handled by the jquery_ujs javascript file. Make sure it's included correctly and that it shows up in your page source. If it's there, open the javascript console in your browser's developer tools to see if there's any javascript errors when you click on the link.
Other than that, your posted code looks in order.
Minor style suggestion though: you don't need to pass :id => activity.id to the path helper, just use: club_club_accounting_delete_path(activity).
If you encounter any error messages, post them back in your answer.

Cross Site Scripting with Hidden Inputs

My company gave me the task of resolving all security issues with a particular application. The security tream reported a cross site scripting error. The error lies in the following input field:
<input type="hidden" name="eventId" value="${param.eventId}"/>
The report from security wasn't very detailed, but the say they can make a POST request to the page that has the above tag including the following malicious code:
eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
And that when the page reloads, it will have the following:
<input type="hidden" name="eventId" value=""><sCrIpt>alert(83676)</sCrIpt></value>
I am trying to "be the hacker" and show the vulnerability. But I can't figure out how they manage to get that script in there. I am guessing they include it as a URL parameter in the GET request for the form, but when I try to do it myself I get a 403 error. Does anyone know how the vulnerability can be shown?
I know there is a number of XSS questions on the site, but none seem to hit this topic.
So, I am not sure why, but my original hunch was correct. The script can be put on as a URL parameter. For some reason though, this was not working with our staging site. Only with running the application locally. I am not sure why, but this works (only locally):
http://localhost:8080/myUrl/MyAction.do?eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
Doing that, you see an alert box pop up. I am planning to fix it using JSTL functions.
<%# taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input type="hidden" name="eventId" value="${fn:escapeXml(param.eventId)}"/>
Install [TamperData][1] add-on in firefox browser which let you edit the data before submitting. Doesn't matter if it's in POST or GET.
By using this hidden fields can be edited.
What you want to do to fix the problem, is to HTMLAttributeEncode the value before putting it inside the value-attribute. See OWASP ESAPI or MS AntiXSS for methods for doing HTML attribute encoding.
Seeing how the attack string is URL encoding, I think you guess about including it as a GET parameter seems reasonable.
I used the OWASP ESAPI API as the legacy jsp's didn't have JSTL available. This is what I used:
<input type="hidden" name="dataValue" value="<%=ESAPI.encoder().encodeForHTMLAttribute(dataValue)%>">
You can also use the API to filter request.Parameter() which I also needed, as in:
String userURL = request.getParameter( "userURL" )
boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
if (isValidURL) {
link
}
and:
String name = (String) request.getParameter("name");
name = ESAPI.validator().getValidInput("name ", name , "SafeString", 35, true);