|
midrange.com
I would make a slight change to your routine that writes dynamic data as
HTML:
public void writeDetail(String[] fieldList, ResultSet rs, PrintWriter
out) {
try {
while(rs.next()) {
out.println("</tr><tr>");
for(int i=0; i<fieldList.length; i++) {
out.println("<td>" + encode(rs.getString(fieldList[i]).trim()) +
"</td>");
}
}
} catch (Exception e) {
out.println("<br>Error Message (writeDetail): " + e);
}
}
This is an example of an encode() method:
public static String encodeData(String str) {
StringBuffer encoded = new StringBuffer(str.length()*2);
for (int i=0; i<str.length(); i++) {
switch (str.charAt(i)) {
case '<' : encoded.append("<"); break;
case '>' : encoded.append(">"); break;
case '"' : encoded.append("""); break;
case '\'' : encoded.append("'"); break;
case '%' : encoded.append("%"); break;
case ';' : encoded.append(";"); break;
case '(' : encoded.append("("); break;
case ')' : encoded.append(")"); break;
case '&' : encoded.append("&"); break;
case '+' : encoded.append("+"); break;
default : encoded.append(str.charAt(i));
}
}
return encoded.toString();
}
This is a standard defense against one of the hacking techniques. Imagine
if someone had keyed the following into a field like an address:
[script]alert('Hi fathead!');[/script]
(The mailing list bounced my original message because of the beginning and
ending script tags. You'll have to substiture <> for [] in my example.)
Anybody that knows a little about JavaScript can see what will happen
if this data was included in your HTML. Imagine the kind of things that
you could do.
Joe Teff
+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
