Arc Forum | Against my better judgement, here's a JSP solution: <!DOCTYPE html PUBLIC "...

Arc Forum

2 points by kens 6115 days ago | link | parent

Against my better judgement, here's a JSP solution:

  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head><meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
  <title>Contrived example</title></head><body><div>
  <% if (null == session.getAttribute("page")) {
        session.setAttribute("page", "1"); %>
        <form action="said.jsp" method="post">
        <div><label>Enter something <input type="text" name="foo"/>
        <input type="submit"/></label></div></form>
  <% } else if ("1".equals(session.getAttribute("page"))) {
        session.setAttribute("page", "2");
        session.setAttribute("value", request.getParameter("foo")); %>
        <a href="said.jsp">click here</a>
  <% } else if ("2".equals(session.getAttribute("page"))) {
        session.setAttribute("page", null); %>
        you said: <%= org.apache.commons.lang.StringEscapeUtils.escapeHtml((String)session.getAttribute("value")) %>
  <% } %>
  </div></body></html>

While it's not as concise as the Arc solution, it does have some advantages. First, it satisfies the requirement of returning the user's input, even for accented characters. Second, it doesn't pass stuff in the URL like the Arc solution. Third, it plugs the obvious XSS hole. Fourth, it produces valid HTML. (I picked XHTML for maximum pain :-)

1 point by namaste 6115 days ago | link

Here's this same thing translated to Ruby + custom Web Framework + Tenjin (which does the escaping with the ${} command. #{} and it does not escape.)

  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head><meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
  <title>Contrived example</title></head><body><div>
  <?rb if not @w.session['page']
        @w.session['page'] = '1' ?>
        <form action="jsp_said" method="post">
        <div><label>Enter something <input type="text" name="foo"/>
        <input type="submit"/></label></div></form>
  <?rb elsif @w.session['page'] == '1'
        @w.session['page'] = '2'
        @w.session['value'] = @w.f('foo') ?>
        <a href="jsp_said">click here</a>
  <?rb elsif @w.session['page'] == '2'
        @w.session["page"] = nil ?>
        you said: ${@w.session['value']}
  <?rb end ?>
  </div></body></html>

-----