First of all this is just a POC that seems to be working fine so far, basically I would like to know what you think of this kind of solution.
The problem:
I have this app with lot of EL code and now I'm supposed to prevent XSS errors my current solution so far (does not mean its the only thing I'm going to fix though) only involves preventing XSS in an EL context.
code below is in a jsp page:
This is your car color ${car.color}
car object is set as follows:
ModelAndView mv = new ModelAndView("page3");
String xss = "<script>window.alert('XSS!!');</script>";
Car c = new Car(xss);
mv.addObject("car", c);
return mv;
this way an alert message should popup, nothing new here...
my proposal (which is working ) is as follows
This is your car color${car.color.preventXSS}
this means like "adding" a preventXSS property to every String (I'm not modifying String class), I'm achieving this through a custom EL Resolver which is basically as follows
try {
value = context.getELResolver().getValue(context, base, property);
} catch (PropertyNotFoundException e) {
if ((base instanceof String) && property.equals(PREVENT_XSS)) {
context.setPropertyResolved(true);
value = ESAPI.encoder().encodeForHTML(base.toString());
}
}
where 'base' is in this case has the value <script>window.alert('XSS!!');<;/script>
and 'PREVENT_XSS' is the constant for 'preventXSS' which is the last property in our EL expression.
BTW I'm using OWASP esapi encoder for dealing with XSS, if needed this can be improved by adding other different encodings like encodeForHTMLAttribute and many other that OWASP's esapi supports.
note1: I know I can use an EL function to achieve the same but I wanted to just add 'property' preventXSS without having to include a jsp taglib directive in every page.
note2: I also know about the c:out jstl tag.
Yeah, the solution that you are proposing works, however one issue that I see is that the additional property can be confusing at maintenance time, due to the fact that is not following the EL standards. If you are using Spring MVC, you can take a look of the following approaches to prevent XSS:
Referece 1
Referece 2
Referece 3
Related
I implemented Aspose.Cells and Aspose.PDF into our companies existing application.
While I had some trouble with this (mostly caused by the fact that I tried to implement both APIs into the exat same file which was a bad idea)
I figured out how to make it work more or less.
My Problem now is while Aspose.Cells works perfectly fine and doesn't seem to have any unusual behavior Aspose.PDF already struggles with setting the license and even when I eventually got this to work I can't even initiate a Aspose::Pdf::Document.
So the first totally unusual thing is the way I had to set the License in the Example code given with the Aspose Package and in the official resources the license is set like this.
auto lic = System::MakeObject<Aspose::Pdf::License>();
lic->SetlLicense("c:\\Foo\fooproj\\Aspose.Total.C++.lic");
This code won't run on my machine and cause the error.
Rough Translation
food.exe triggered a breakpoint
Original
food.exe Hat einen Haltepunkt ausgelöst
The same happens when I initialise a System::String with a emtpy constructor like this.
auto lic = System::MakeObject<Aspose::Pdf::License>();
System::String str;
str.FromUtf8("C:\\foo\fooproj\\Aspose.Total.C++.lic");
lic->SetLicense(str);
BUT if I initialise the System::String with an empty String in the first place setting the license seems to work just fine so this works.
auto lic = System::MakeObject<Aspose::Pdf::License>();
System::String str(u"");
str.FromUtf8("C:\\Projekte\\Aspose\\Lizens\\Aspose.Total.C++.lic");
lic->SetLicense(str);
If this code above works and I try to make an object from Aspose::Pdf::Document this will crash.
void Aspose_pdf::helloWorld()
{
auto doc = System::MakeObject<Aspose::Pdf::Document>();
.....
.....
}
I actually have no idea what's going on. I am not using any using namespace commands at the moment.
Would be greate if someone had an idea how to fix this.
Edit:
The error occures exactly in smart_ptr.h in the following function.
typename std::enable_if<!IsSmartPtr<T>::value, SmartPtr<T> >::type MakeObject(Args&&... args)
{
System::Detail::OwnNextObject ownershipSentry;
T *const object = ::new T(std::forward<Args>(args)...);
ownershipSentry.CreatedSuccessfully(object);
return SmartPtr<T>(object);
}
in the second line so T *const object = ::new T(std::forward<Args>(args)...);
is "causing" the error or atleast here the error will ne triggered.
Edit2:
Here you will find a simple example of how my code looks in general.
I Started with implementing Aspose.Pdf into my Programm so I edited my
Additional Library directories,additional dependencies, additional include directories,preprozessor definitions and my stacksize to fit these settings given in the Aspose.Pdf examples.
After this I created my Aspose_Pdf class and tested it. worked perferctly so far.
After this I made the same edits to fit Aspose.Cells aswell. Also I created a class Aspose_Cells and tested it. While this worked now my Aspose_Pdf class stoped working. After a little time passed I managed to atleast get the License Activation for Aspose_Pdf to work from this point on I had the problems described above.
Additional Dependencies:
...
Aspose.PDF_vc141x64d.lib
aspose_cpp_vc141x64d.lib
Aspose.Cells.lib
Additional Librariedirectories:
...
..\Aspose\Aspose.PDF\lib\Debug
..\Aspose\Aspose.Cells\lib64
additional Includedirectories
...
..\Aspose\Aspose.PDF\lib\Debug
..\Aspose\Aspose.PDF\include\asposecpplib
..\Aspose\Aspose.PDF\include\Aspose.Pdf.Cpp
..\Aspose\Aspose.Cells\Include
..\Aspose\Aspose.Cells\Include\icu\include
..\Aspose\Aspose.Cells\Include\boost
I've never heard about Aspose.Pdf neither I know how does System::MakeObject< work. But for me it looks that all the code might be simplified to next:
Aspose::Pdf::License^ lic = gcnew Aspose::Pdf::License();
System::String^ str = "C:\\foo\\fooproj\\Aspose.Total.C++.lic";
lic->SetLicense(str);
When it comes to Pdf.Document the initialization might look like this:
Aspose::Pdf::Document^ doc = gcnew Aspose::Pdf::Document();
We have a business need to collect specific bindings in every JSF page. and we do that inside overridden ViewHandlerWrapper class
I use the below code inside renderView method to get the whole expression value property for every RichInputText and it's work fine for me
ValueExpression valExp = Inputcomponent.getValueExpression("value");
String ExpressionString = valExp.getExpressionString();
output was: #{binding.EmployeeId.inputValue}
When I do the same against RichButtin I got null value as following:
ValueExpression valExp = Btncomponent.getValueExpression("actionlistener");
String ExpressionString = valExp.getExpressionString();
What is the wrong in my last peace of code?
Obtaining a ValueExpression form a RichInputText works because, as the name suggests, it evaluates to a value, which may or may not be an EL expression, let alone a method.
On the other hand, a RichButton does not really have to evaluate to something; rather, it aims to invoke behavior (i.e. a method), from which you would want a MethodExpression - though in this case, the closest we get to it is a MethodBinding.
Luckily, UIXCommand, a superclass of RichButton, provides two methods from which you can obtain your action listeners:
public final MethodBinding getActionListener()
From the MethodBinding returned, you can invoke getExpressionString() so you can get what you wanted - such as some actionListener EL string like #{binding.bean.actionListenerMethod}.
public final ActionListener[] getActionListeners()
Might be worth mentioning, though there is not much merit for this in your use case. It simply returns the listeners on which you can manually process the events.
It is possible to automatically generate Sitecore templates just coding models? I'm using Sitecore 8.0 and I saw Glass Mapper Code First approach but I cant find more information about that.
Not sure why there isn't much info about it, but you can definitely model/code first!. I do it alot using the attribute configuration approach like so:
[SitecoreType(true, "{generated guid}")]
public class ExampleModel
{
[SitecoreField("{generated guid}", SitecoreFieldType.SingleLineText)]
public virtual string Title { get; set; }
}
Now how this works. The SitecoreType 'true' value for the first parameter indicates it may be used for codefirst. There is a GlassCodeFirstDataprovider which has an Initialize method, executed in Sitecore's Initialize pipeline. This method will collect all configurations marked for codefirst and create it in the sql dataprovider. The sections and fields are stored in memory. It also takes inheritance into account (base templates).
I think you first need to uncomment some code in the GlassMapperScCustom class you get when you install the project via Nuget. The PostLoad method contains the few lines that execute the Initialize method of each CodeFirstDataprovider.
var dbs = global::Sitecore.Configuration.Factory.GetDatabases();
foreach (var db in dbs)
{
var provider = db.GetDataProviders().FirstOrDefault(x => x is GlassDataProvider) as GlassDataProvider;
if (provider != null)
{
using (new SecurityDisabler())
{
provider.Initialise(db);
}
}
}
Furthermore I would advise to use code first on development only. You can create packages or serialize the templates as usual and deploy them to other environment so you dont need the dataprovider (and potential risks) there.
You can. But it's not going to be Glass related.
Code first is exactly what Sitecore.PathFinder is looking to achieve. There's not a lot of info publicly available on this yet however.
Get started here: https://github.com/JakobChristensen/Sitecore.Pathfinder
Currently, I'm working on compiling old .cpp classes under C++ Builder XE. Apart from many troubles, there is one which I have completely no idea how to solve.
My code:
String txt = "<Not so long sql query>";
int licz = some_function(txt, dzeFDS); //1
//assigning licz to somewhere
txt = "<much longer query>";
licz = some_function(txt, budFDS); //2
Problem is that during second call of some_function program is stopped and i have this alert:
First chance exception at $75A1C42D. Exception class EDatabaseError with message 'budFDS: Type mismatch for field 'Function', expecting: String actual: WideString'. Process Call.exe (1896)
It's strange form be, bacause first call of some_function works fine, but this second one (with arguments with the same type) doesn't.
some_function code:
int __fastcall some_function(String txt, TIBDataSet *firDS)
{
firDS->Close();
firDS->SelectSQL->Text = txt;
firDS->Open(); //during debugging, exception occurs in this line
int count = 0;
while(!firDS->Eof)
{ count++;
firDS->Next();
}
return count;
}
Any ideas what why it happens?
Thanks in advance
There is much pain in your future.
Anyway, the problem you're having is with the database connection. There's a field in your database called "Function" that holds a string. This field came across as a String with the ancient database driver that this program originally used. Your shiny, new database driver is telling VCL to expect such things as Unicode, and VCL doesn't like to shove such things into plain Strings, so it expects you to have a WideString ready in which to shove it.
Fortunately, there are ways of beating VCL into submission. What you want to do, since you surely don't want to rewrite half the application by changing TIBDataSet, is to tell the connection not to bother with Unicode. In order to do this, you have to set up the TSQLConnection object with UseUnicode=false, which I hope (I have no way of testing VCL code anymore) should look something like this:
connection->Params->Add("UseUnicode=false");
Where connection is the TSQLConnection object. I think you have to do this before connecting to the database.
If that doesn't work, see if you can configure the database driver to not use Unicode.
Problem solved - this one field Function has other type in C++ Builder design view - it was TStringField, and rest fields has TIBStringField...
I'm trying to use the Code Templates feature with PHP in NetBeans (7.3), however I'm finding it rather limited. Given the following desired output:
public function addFoo(Foo $foo) {
$this->fooCollection[] = $foo;
}
I'm trying to have every instance of "foo"/"Foo" be variable; so I used a variable:
public function add${name}(${name} $$${name}) {
$this->${name}Collection[] = $$${name};
}
Of course, when expanded there isn't any regard given to the desired capitalization rules, because I can't find a way to implement that; the result being (given I populate ${name} with "Foo"):
public function addFoo(Foo $Foo) { // note the uppercase "Foo" in the argument
$this->FooCollection[] = $Foo; // and collection property names...
} // not what I had in mind
Now, I've read that NetBeans supports FreeMarker in it's templates, but that seems to be only for file-templates and not snippet-templates like these.
As far as I can tell, the FreeMarker version would look something like the following; however, it doesn't work, and ${name?capitalize} is simply seen as another variable name.
public function add${name?capitalize}(${name?capitalize} $$${name}) {
$this->${name}Collection[] = $$${name};
}
Passing "foo", allowing capitalize to fix it for type-names, second-words, etc.
Is there any way to get FreeMarker support here, or an alternative?
I'm open to any suggestions really; third-party plugins included. I just don't want to have to abandon NetBeans.
Addendum
The example given is trivial; an obvious solution for it specifically would be:
public function add${upperName}(${upperName} $$${lowerName}) {
$this->${lowerName}Collection[] = $$${lowerName};
}
Where upper/lower would be "Foo"/"foo" respectively. However, it's just an example, and I'm looking for something more robust in general (such as FreeMarker support)