[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] HTMLEncoding in textarea in java

From: "mike " <mike9966@xxxxxxxxxxxxxx>
Subject: [WEB SECURITY] HTMLEncoding in textarea in java
Date: 9 Sep 2008 15:18:48 -0000

--Next_1220973528---0-202.137.236.237-18375
Content-type: text/plain;
	charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi,=0A=0AI have an instance where user supplied data initially stored in th=
e database and later displayed back in the <textarea> field to the browser.=
 =0A=0AWhen i try to encode the value using server.encodeHTML, still the sc=
ript is executing in the browser leading to XSS. =0A=0ATo give an instance,=
=0A=0A<bc:textarea name=3D"userdata" id=3D"userdata" (this,255);"'>${addEdi=
tConfigurationForm.userdata}</bc:textarea>=0A=0Akindly let me know how to i=
mplement encoding in the instance to mitigate XSS.=0A=0AThanks=0AMike
--Next_1220973528---0-202.137.236.237-18375
Content-type: text/html;
	charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<P>=0AHi,<BR>=0A<BR>=0AI have an instance where user supplied data initiall=
y stored in the database and later displayed back in the &lt;textarea&gt; f=
ield to the browser. <BR>=0A<BR>=0AWhen i try to encode the value using ser=
ver.encodeHTML, still the script is executing in the browser leading to XSS=
. <BR>=0A<BR>=0ATo give an instance,<BR>=0A<BR>=0A&lt;bc:textarea name=3D&q=
uot;userdata&quot; id=3D&quot;userdata&quot; (this,255);&quot;'&gt;${addEdi=
tConfigurationForm.userdata}&lt;/bc:textarea&gt;<BR>=0A<BR>=0Akindly let me=
 know how to implement encoding in the instance to mitigate XSS.<BR>=0A<BR>=
=0AThanks<BR>=0AMike=0A</P>=0A<br><br>=0A<Table border=3D0 Width=3D644 Heig=
ht=3D57 cellspacing=3D0 cellpadding=3D0 style=3D'font-family:Verdana;font-s=
ize:11px;line-height:15px;'><TR><td><a href=3D'http://adworks.rediff.com/cg=
i-bin/AdWorks/click.cgi/www.rediff.com/signature-default.htm/1050715198@Mid=
dle5/2606998_2599290/2602379/1?PARTNER=3D3&OAS_QUERY=3Dnull' target=3Dnew >=
<img src =3D'http://imadworks.rediff.com/cgi-bin/AdWorks/adimage.cgi/260699=
8_2599290/creative_2602379.gif'  alt=3D'578x38_banner2.gif'  border=3D0></a=
></td></TR></Table>
--Next_1220973528---0-202.137.236.237-18375--

Follow-Ups:
- RE: [WEB SECURITY] HTMLEncoding in textarea in java
  - From: Arshan Dabirsiaghi

Prev by Date: [WEB SECURITY] SQL Smuggling
Next by Date: RE: [WEB SECURITY] HTMLEncoding in textarea in java
Previous by thread: [WEB SECURITY] SQL Smuggling
Next by thread: RE: [WEB SECURITY] HTMLEncoding in textarea in java
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site