0

Please consider this sample action which checks user upload file and returns a json of errors if there are any thing wrong to user.

The text in the jsp:

Your file has this text which is not correct : I are a programmer

public class SampleAction{

    private List<String> errorCodesForFileUpload = new ArrayList<String>();

   @Action(value = "sample-upload", 
        results = { @Result(name = "success", type = "json" .... }

         public String upload() {             
        
         // proccess user file and show incorrect lines to user
         errorCodesForFileUpload.add("Your file has this text which is not correct:" + USER_TEXT_IN_THE_FILE  );    
        }

}

In the jsp we parse and show the errorCodesForFileUpload . This has the XSS vulnerability (If the file has any javascript in it)

I can fix it by escaping user text, before adding it to errorCodesForFileUpload.

But there are many actions which has been developed like this.

Is there any better way to customize json result and escape every string, before write?

Alireza Fattahi
  • 42,517
  • 14
  • 123
  • 173
  • There are multiple approaches; a generic action with a `PreResultListener` that escapes some/all action parameters may be the easiest, or a response wrapper. It’s difficult to say what’s best/easiest w/o insight into the app, though. – Dave Newton Jul 31 '21 at 12:40
  • I don't know if it's better to extend/customize the `json` result but there's a lot of different approaches to affect the JSON returned by the result. One of them I explored in [this](https://stackoverflow.com/q/35753928/573032) question. Then you just need to override the `json` result type, or remove JSON plugin at all. – Roman C Aug 04 '21 at 10:03

0 Answers0