[opencms-dev] [Solved] Problem security with HTML Injection in Implementation Project in OpenCms...

Deiverson Silveira deiverson at solutioncms.com
Mon May 23 22:20:18 CEST 2011


=)

You can use mod_rewrite to do this replacement, see this example for <:

RewriteCond %{QUERY_STRING} ^([^<]*)<([^<]*)<(.*)
RewriteRule ^ %{REQUEST_URI}?%1<%2< [N]
RewriteCond %{QUERY_STRING} ^([^<]*)<([^<]*)$
RewriteRule ^ %{REQUEST_URI}?%1<%2 [L]

The first rule will replace two < characters at a time and the second will
end the recursion. The other characters can be replaced in the same way
(just replace < and < with the other pairs).

But using mod_rewrite for this kind of work is not that suitable because

   1. mod_rewrite allows to replace only fixed number of occurrences at a
   time and
   2. the number of replacements is limited to the internal redirection
   counter that is used to avoid infinite recursion.

Although the second statement does not apply in this case due to the usage
of the *N* flag<http://httpd.apache.org/docs/2.2/rewrite/rewrite_flags.html#flag_n>
, *I would not recommend the usage of mod_rewrite for this kind of work*.

I would rather recommend to do this in the web application, possibly just
before putting your data out into an HTML document and not in a prophylactic
manner for every input no matter how that data is processed.
Source:
http://stackoverflow.com/questions/2715614/apache-mod-rewrite-replace-characters-in-request-uri

2011/5/20 Deiverson Silveira <deiverson at solutioncms.com>

> Hi List,
>
> There is some setting in opencms to set the escapehtml false?
>
> I do not want to deal in all places like this (very hard work):
>
> org.apache.commons.lang.StringEscapeUtils.escapeHtml(request.getParameter(myParameter));
>
> Thank you in advance any help,
>
> Deiverson Silveira
>
> PS: Exemple in config Tomcat, catalina.properties, acceot double " :
> org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
>
> PS2: I use JBoss 4.2.1 and 4.2.2 =|
>
> --
> *
> www.solutioncms.com
> The Brazilian
> Official Provider OpenCms
> *
>



-- 
*
www.solutioncms.com
The Brazilian
Official Provider OpenCms
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20110523/09706729/attachment.htm>


More information about the opencms-dev mailing list