What to escape XSS (JSTL) - jstl

I'm working on a small JSTL project and I want to prevent xss, the first step I want to take is escaping in html.
Is there a rule what I should escape and what not?
For example the following code prints out a form from the databasepoints
<c:forEach var="player" items="${players}" varStatus="counter">
<li>
<label for="<c:out value="${counter.count}"/>" >${player.email}:</label>
<input class="values" id="<c:out value="${counter.count}"/>" type="number" name="<c:out value="${player.id}"/>" ondblclick="fillInInput(this)" autocomplete="off" placeholder="<c:out value="${player.points}"/>">
</li>
</c:forEach>
This prints some error messages:
<c:if test="${errors.size() >0}">
<div id="errors">
<c:forEach var="error" items="${errors}">
<p><c:out value="${error}"/></p>
</c:forEach>
</div>
</c:if>
This prints a list with rewards from the database
<c:forEach var="reward" items="${rewards}">
<tr>
<td><c:out value="${reward.name}"/></td>
</tr>
</c:forEach>
This prints a checkbox list with rewardtypes which the user can choose from:
<c:forEach var="reward" items="${rewards}" varStatus="counter">
<li><input id="<c:out value="${counter.count + 100}"/>" class="rewards" type="checkbox" onchange="checkButton('button2','rewards')" name="rewardType" value="<c:out value="${reward}"/>" checked>
<label for="<c:out value="${counter.count + 100}"/>"><c:out value="${reward}"/></label></li>
</c:forEach>
Right now I've simply escaped everything,but it doesn't feel right. Can anyone tell me if there is some rule or something so I know what I should escape and what not?
Thanks in advance.

Related

Is it possible to control loop(forEach) on click of button on JSP page?

I'm trying to create a question/answer quiz where there are multiple choice answers(in radio buttons) per question.
I want to display One question and it's relevant set of answers at a time. How do I iterate over the list with control so on click it would display the next question and answers?
<form action="/addStuResponse" method="post">
<c:forEach items="${qlist}" var="question" varStatus="loopCounter">
<input type="hidden" name="quesSet" value="${question.quesId}">
<textarea rows="3" cols="5" readonly="readonly">${question.quesText}</textarea>
<c:forEach items="${anslist}" var="answer">
<c:if test="${answer.questions.quesId == question.quesId}">
<input type="radio" name="response" value="${answer.answer}">
</c:if>
</c:forEach>
</c:forEach>
<button type="submit" >Next</button>
</form>

Keep a flag isCurrentQuestionon each question. Set first question flag to true and rest of the questions flag to false. Onclick of next button change the isCurrentQuestion flag to false for first question and make the second question as true. and continue like this until the last question.
Modify your code as below:
<form action="/addStuResponse" method="post">
<c:forEach items="${qlist}" var="question" varStatus="loopCounter">
<c:if test="${question.isCurrentQuestion == true}">
<input type="hidden" name="quesSet" value="${question.quesId}">
<textarea rows="3" cols="5" readonly="readonly">${question.quesText}</textarea>
<c:forEach items="${anslist}" var="answer">
<c:if test="${answer.questions.quesId == question.quesId}">
<input type="radio" name="response" value="${answer.answer}">
</c:if>
</c:forEach>
</c:if>
</c:forEach>
<button type="submit" >Next</button>
</form>

Spring Drop-down List to limit list length to show only 10 options if list size > 10

I have a problem trying to limit my drop-down list to show only x amount of items out of 50 items to include a vertical scrollbar. Is there a way to add inline CSS or methods as I'm not very familiar with the Spring framework.
Tried using things like size=10 but this just changes it to a listbox with size 10 which is not of 'drop-down' type.
<div class="pure-control-group">
<label for="centres"><fmt:message key="addinfo.centres" /> <span class="mandatory">*</span></label>
<div class="field input-medium">
<form:select class="input-medium" path="centres" >
<c:forEach items="${centreBean.centresList}" var="centre">
<option value="${centre.codePk}">${centre.desc}</option>
</c:forEach>
</form:select>
</div>

How about this?
<c:forEach items="${centreBean.centresList}" var="centre" varStatus="status">
<c:if test="${status.index < 10}">
<option value="${centre.codePk}">${centre.desc}</option>
</c:if>
</c:forEach>

JSF change how f:selectItem renders

I have a tag h:selectManyCheckbox, in it a loop over a list. for each item in the list I need a checkbox. Unfortunately the format of the checkbox + label does not correspond to the table which jsf creates. I need a div around each item, like this:
<div class="form_control var_checkbox">custom
<input type="checkbox" class="checkbox" name="service" id="service_0" data-product="additional_price" data-product-add-price="100.0">
<label class="label" for="service_0">title</label>
<span class="guarantee_price">CHF 100.0</span>
</div>
but jsf renders it like this:
<table>
<tbody>
<tr>
<td><input id="addToCart:j_id_29_2:0" type="checkbox" name="addToCart:j_id_29_2" value="0"><label for="addToCart:j_id_29_2:0"> title</label></td>
<td><input id="addToCart:j_id_29_2:1" type="checkbox" name="addToCart:j_id_29_2" value="1"><label for="addToCart:j_id_29_2:1"> titel2</label></td>
</tr>
</tbody>
</table>
here's the code currently generating it:
<h:selectManyCheckbox value="${addToCartBean.selectedServicesIndexes}">
<c:forEach items="#{productServicesJSFBean.productServicePlusBeanKeySet}" var="productServicePlusKey">
<c:forEach items="#{productServicesJSFBean.productServicePlusBeans[productServicePlusKey]}" var="productServicePlus">
<div class="form_control var_checkbox">
<f:selectItem itemValue="${counter}" itemLabel="${productServicePlus.servicePlusDisplay.title}" >custom </f:selectItem>
</div>
<c:set var="counter" value="${counter + 1}"/>
</c:forEach>
</c:forEach>
</h:selectManyCheckbox>
I tried creating the checkbox by hand, but jsf doesnt pick it up. We can not use a table, it has to be in the div format. How can I change how jsf renders those selectItems. I dont want it globally, only for those here. How can I do that?

someone I sent this question to sent me this SO question, which I didnt find through google: Render selectManyCheckbox without HTML table . got it working with <h:outputLabel><h:selectBooleanCheckbox>

Grails - Select box tied to object ID and remote field

Run into a bit of an odd problem that is increasingly frustrating
Scenario: I have a list of domain objects, each has a g:select attached to it that is rendered by a remote field.
How do I tie the status variable OR the personInstance ID to the selection box, so that when I use the renderField, I update testDiv_(number)
View:
<g:each in="${listOfPeople}" status="i" var="personInstance">
<td>
Text: <g:remoteField action="getResults" controller="person" id="" update="testDiv_${personInstance.id}" paramName="search" name="getResults" value="" />
<g:each in ="${personInstance?.choices}" var="choice" status="x">
<li>${choice}</li>
</g:each>
</td>
<td>
<g:render template="renderThisTemplate"></g:render>
</td>
</g:each>
Template:
<div id="testDiv_${personInstance.id}" class="testDiv_${personInstance.id}">
<g:select id="aChoice" name="aChoice.id" from="${allChoices}" optionKey="id" value="" />
<g:actionSubmit action="addChoice" value="Add"/>
</div>
Edit
I know that the remote call (ajax) is passing the update for testDiv_(number). The problem is with the template ID and assigning that value to the template div.

Just incase anyone needs this answer in the future. Apparently you cannot reference the instance variable (personInstance) in the g:each from the template.
So I replaced the g:render with its code and it worked:
<g:each in="${listOfPeople}" status="i" var="personInstance">
<td>
Text: <g:remoteField action="getResults" controller="person" id="" update="testDiv_${personInstance.id}" paramName="search" name="getResults" value="" />
<g:each in ="${personInstance?.choices}" var="choice" status="x">
<li>${choice}</li>
</g:each>
</td>
<td>
<div id="testDiv_${personInstance.id}" class="testDiv_${personInstance.id}">
<g:select id="aChoice" name="aChoice.id" from="${allChoices}" optionKey="id" value="" />
<g:actionSubmit action="addChoice" value="Add"/>
</div>
</td>
</g:each>

Build dynamic checkboxes

Hey guys I have about 8 fieldSets and Im iterating over a list. I want to fill up the checkboxes based off a value of each iteration for ex.
<c:if test="${detBean.groupName == 'HEADER_DATA}">
*Add that checkbox to that fieldset and so on...
<c:forEach var="detBean" items="${detFields}">
Display Name -- ${detBean.displayName}
Field Name -- ${detBean.fieldName}
Group Name -- ${detBean.groupName}
</c:forEach>
<tr>
<td>
<div id="displayFields" style="display:block;">
<fieldset class="det">
<legend>Header Data</legend>
<input type="checkbox" name="${detBean.displayName}
" value="${detBean.displayName}
">${detBean.displayName}
</input>
</fieldset>
<fieldset class="det">
<legend>Materiel Data</legend>
<input type="checkbox" name="${detBean.displayName}
" value="${detBean.displayName}
">${detBean.displayName}
</input>
<br/>
</fieldset>
</td>
</tr>
Thankx

This worked:
<div id="displayFields" style="display:block;">
<fieldset class="det">
<legend>Header Data</legend>
<c:forEach var="detBean" items="${detFields}">
<c:if test="${detBean.groupName == 'HEADER_DATA'}">
<input type="checkbox" name="${detBean.displayName}" value="${detBean.displayName}">${detBean.displayName}</input>
<br/>
</c:if>
</c:forEach>
</fieldset>
<fieldset class="det">
<legend>Materiel Data</legend>
<c:forEach var="detBean" items="${detFields}">
<c:if test="${detBean.groupName == 'MATERIEL_DATA'}">
<input type="checkbox" name="${detBean.displayName}" value="${detBean.displayName}">${detBean.displayName}</input>
<br/>
</c:if>
</c:forEach>
</fieldset>

Resources