Prentice Hall and Sun Microsystems. Personal use only; do not redistribute.


3.6 Filtering Strings for HTML Specific Characters


87


3.6 Filtering Strings for 


HTML Specific Characters


Normally, when a servlet wants to generate HTML that will contain charac 


ters like 


<


 or 


>


, it simply uses 


<


 or 


>


, the standard HTML character


entities. Similarly, if a servlet wants a double quote or an ampersand to


appear inside an HTML attribute value, it uses 


"


 or 


&


. Failing to


make these substitutions results in malformed HTML code, since 


<


 or 


>


 will


often get interpreted as part of an HTML markup tag, a double quote in an


attribute value may be interpreted as the end of the value, and ampersands


are just plain illegal in attribute values. In most cases, it is easy to note the


special characters and use the standard HTML replacements. However,


there are two cases when it is not so easy to make this substitution manually. 


The first case where manual conversion is difficult occurs when the string


is derived from a program excerpt or another source where it is already in


some standard format. Going through manually and changing all the special


characters can be tedious in such a case, but forgetting to convert even one


special character can result in your Web page having missing or improperly


formatted sections (see Figure 3 9 later in this section).


The second case where manual conversion fails is when the string is


derived from HTML form data. Here, the conversion absolutely must be


performed at runtime, since of course the query data is not known at compile


time. Failing to do this for an internal Web page can also result in missing or


improperly formatted sections of the servlet's output if the user ever sends


these special characters. Failing to do this filtering for externally accessible


Web pages also lets your page become a vehicle for the cross site scripting


attack. Here, a malicious programmer embeds 


GET


 parameters in a URL that


refers to one of your servlets. These 


GET


 parameters expand to HTML



        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      jsp web hosting

      
 

    

  

  


Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Jsp Web Hosting
Cheapest Web Hosting


Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved