Spring - MVC - Sanitize URL before redisplaying to the user

Posted by Raghav on Stack Overflow See other posts from Stack Overflow or by Raghav
Published on 2012-03-21T21:58:01Z Indexed on 2012/03/21 23:29 UTC
Read the original article Hit count: 308

Filed under:

java

|

spring

|

spring-mvc

In my application , a HTTP GET request URL to the application with script tag is getting redisplayed as it is although it fails the authorization.

Example: http://www.example.com/welcome<script>alert("hi")</script>

The issue is sanitizing external input entered directly into address bar by modifying existing GET URL. Spring redisplays the submitted URL as it is.

Though the script does not get executed in the browser(FF), is there anyway to strip the URL of these values before displaying it back to the user

Reference: Spring MVC application filtering HTML in URL - Is this a security issue?

© Stack Overflow or respective owner

Related posts about java

Tomcat 6: Access Control Exception?

as seen on Server Fault - Search for 'Server Fault'
I'm trying to setup a tomcat6 server, and I'm trying to match another setup someone else established. However, my deployment (default Ubuntu install) uses a policy.d/ directory structure, and the established server just uses a catalina.policy file. I've tried setting every entry in policy.d to match… >>> More
Problem in creation MDB Queue connection at Jboss StartUp

as seen on Stack Overflow - Search for 'Stack Overflow'
I am not able to create a Queue connection in JBOSS4.2.3GA Version & Java1.5, as I am using MDB as per the below details. I am putting this MDB in a jar file(named utsJar.jar) and copied it in deploy folder of JBOSS, In the test env. this MDB works well but in another env. [ env settings and… >>> More
failing to establish connection between Postgres db and gwt

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I am using Postgres and gwt 2.0 for one of my applications. I am facing problem connecting to the database. When I try to connect it gives "ClassNotFoundException". Here is what I get when I try to connect to database: java.lang.ClassNotFoundException: org.postgresql.Driver at java.net… >>> More
failing to establish connection between postgre db and gwt

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, For i am using postgre and gwt 2.0 for one of my applications. I am facing problem connecting to the database. When i try to connect it gives "ClassNotFoundException". Here is what i get when i try to connect to database: java.lang.ClassNotFoundException: org.postgresql.Driver at java.net… >>> More
Migration and deployement problems JBoss 4.2.2.GA to JBoss 6.0.0.M2

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I'm trying to migrate an application running on JBoss 4.2.2.GA to JBoss 6.0.0.M2 I give you some log to explain my problem : boot.log : 2010-03-16 09:59:29,406 ERROR [org.jboss.system.server.profileservice.ProfileServiceBootstrap] (Thread-2) Failed to load profile: Summary of incomplete deployments… >>> More

Related posts about spring

Why is Java EE 6 better than Spring ?

as seen on Oracle Blogs - Search for 'Oracle Blogs'
Java EE 6 was released over 2 years ago and now there are 14 compliant application servers. In all my talks around the world, a question that is frequently asked is Why should I use Java EE 6 instead of Spring ? There are already several blogs covering that topic: Java EE… >>> More
Spring??Java EE 6?! ???????????????·????????Java Developers Workshop 2012 Summer????

as seen on Oracle Blogs - Search for 'Oracle Blogs'
?Java EE 6??????????????????????????????????????/?????????????????????????Spring Framework?????????????????????????????????????????????????????????????????????????????? “Spring to Java EE 6”????·????????????????????Java EE 6????????????????????IT???????????????Java??????????????·???????????????8?… >>> More
Spring 3.0: Unable to locate Spring NamespaceHandler for XML schema namespace

as seen on Stack Overflow - Search for 'Stack Overflow'
My setup is fairly simple: I have a web front-end, back-end is spring-wired. I am using AOP to add a layer of security on my rpc services. It's all good, except for the fact that the web app aborts on launch: [java] SEVERE: Context initialization failed [java] org.springframework.beans… >>> More
Applying ServiceKnownTypeAttribute to WCF service with Spring

as seen on Stack Overflow - Search for 'Stack Overflow'
I am trying to apply the ServiceKnownTypeAttribute to my WCF Service but keep getting the error below my config. Does anyone have any ideas? <object id="HHGEstimating" type="Spring.ServiceModel.ServiceExporter, Spring.Services"> <property name="TargetName" value="HHGEstimatingHelper"/> … >>> More
Where is the sample applications in the lastest Spring release(Spring Framework 3.0.2)?

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi guys, On the Spring download page, It says that For all Spring Framework releases, the basic release contains only the binaries while the -with-dependencies release contains everything the basic release contains plus all third-party dependencies, buildable source trees, and sample… >>> More