-2

My application is developed using Oracle ADF. I'm using <af:inputText> input fields in my forms.

Here I have to avoid HTML content in input fields. Is there a way in ADF to avoid HTML content in form input fields.

Awesome
  • 5,689
  • 8
  • 33
  • 58
  • is this a validation related issue, you want to prevent user from submitting html to the server through your ADF inputs ? – Jalal Sordo Oct 03 '16 at 01:18
  • @JalalSordo Yes, I have to prevent html content from client to server. – Awesome Oct 03 '16 at 04:41
  • Strip all html tags server side with jsoup http://stackoverflow.com/questions/12943734/jsoup-strip-all-formatting-and-link-tags-keep-text-only – Kukeltje Oct 05 '16 at 06:37

2 Answers2

0

OWASP #3 - Cross-Site Scripting (XSS)

All data input to a system must be validated before it is persisted in the database. Especially data input that is later re-displayed on the application user interface exposes a risk of cross-site scripting.

To enforce valid data input in Oracle ADF, you should implement the following strategy

  1. Limit the number of free-text input fields and replace them with select choices
  2. Validate all user input on more than one layer
  3. Escape output data

Reference: http://www.oracle.com/technetwork/developer-tools/adf/adfowasptop10-final-2348304.pdf

kishoreballa
  • 67
  • 1
  • 3
0

One way to work this out is to add a validator on your inputText(s). So you'll have something like this:

<af:inputText ... validator="#{scope.beanName.methodName}".../>

And of course in beanName, you'll have to add the validator method:

public void methodName(FacesContext pContext, UIComponent pComponent, Object pValue) {
  String userInput = pValue.toString();
  if( containsHtml(userInput) ) {
     FacesMessage message = new FacesMessage(...);
     throw new ValidationException(message);
  }
}

public boolean containsHtml(String pUserInput) { ... your logic ... }
Mouhcine
  • 276
  • 1
  • 2
  • 12