Documentation » CoreDevelopersGuideIndex » CoreDevelopersGuideXMLEncoderUtility
Login|Register|Print
Broadcast on Broadcast off
The Documentation for Project Zero has moved. Please update your bookmarks to: http://www.projectzero.org/documentation/
Table of
Contents...Hide

Project Zero Developer’s Guide

Concepts and components
Basic concepts overview
Event processing
Writing Java handlers
Writing Groovy handlers
Firing events
Global Context
Global Context reference
Application directory layout
Virtualized directories
Assemble
PHP
Features and configuration
Configuration
Debugging
Dependencies
Packaging
Application classpath
Logging and tracing
RESTful resources
RESTful documentation
File serving
Response rendering
Validators and validation
HTTP error handling
Calling a remote resource
Using the Connection API
Sending an email using EmailConnection
Configuring destinations
Configuring protocols
Configuring connection handlers
Creating a connection handler
Creating a custom protocol transport
Simple logging connection handlers
Protocol reference
Client programming with Dojo
Runtime options
Deployment modifications
HTTP configuration
SSL configuration
Proxy configuration
Extending the CLI
Security considerations
Authentication
OpenID authentication
Extending security
Security tokens
CSRF prevention support
Extending token support
Leveraging TAI
User service
File based user service
LDAP user service
Extending user service
Security Utilities
Leveraging XOREncoder
Extensions
Atom support
RSS support
JSON support
XMLEncoder
REST to SOAP extension
URIUtils
Developer Web tools
Database setup tools
Configuring data access
Common query patterns
Advanced query patterns
Update patterns
Local database transactions
Extending data access
Configuration vendor differences
PHP data access
Resource model
Configuring ZRM
Resource model declaration
Programmatic model API
HTTP REST API
A ZRM mini tutorial
Active content filtering support
Default filters
Custom filters
Runtime management
Management commands
Zero socket opener
Other extension modules
Amazon E-commerce service
Flickr service
WeatherZero forecast service
Wikipedia service
Reference
Zero command line interface
JavaDoc - Public API
JavaDoc - Public SPI
JavaDoc - All Classes

 

Zero XML Encoder Utility

Description

XMLEncoder is a utility class for XML entity encoding. A Web site may inadvertently include malicious HTML tags or scripts in a dynamically generated page based on unvalidated input from untrustworthy sources. By accessing a malicious URL and then accessing an application server, a user may unknowingly execute script code on his machine that has full access to the data and resources on that machine. The browser executes the script on the user machine without the knowledge of the user. The malicious tags that can be embedded in this way are <script> and </script>. This problem can be prevented if the server generated pages are encoded to prevent the scripts from executing. Developers generating responses containing client data, based on http requests, can encode the response data using the following static method: zero.util.XMLEncoder.escapeXML(String s)

HELP PHP: PHP developers may use htmlentities() to convert characters to HTML entities. Refer to PHP Core String Functions for more information.

Example

The typical use case is malicious request parameters sent by the client to the server using a url constructed like http://localhost:8080/test.groovy?param1=<script>alert('message')</script>. In this example, the request parameter param1 contains a JavaScript alert function call which if executed would display the word message in a dialog window on the client browser. To prevent this, a developer could use the Zero method XMLEncoder.escapeXML(String s).

Below is an example groovy code snippet that will read the incoming request parameter 'param1', escape the malicious content and print it. 

def paramValue = request.params.param1

def paramValueEscaped = zero.util.XMLEncoder.escapeXML(paramValue);

print paramValueEscaped;

The result of the escapeXML can seen in view source of the browser:

escapeXMLViewSource.JPG

with the following being displayed in the browser:

escapeXMLBrowser.JPG

Since the script tag is escaped the browser does not interpret the html entities resulting in the content being rendered versus the script being dynamically executed on the client.

r5 - 26 Oct 2007 - 10:17:18 - robinf
Quick Links: Forum | Bugzilla| Blog| Getting Started| Developer's Guide| FAQ
Syndicate this site RSS ATOM
Copyright 2007 © IBM Corporation | Privacy | Terms of Use | About this site