White Space problem in ATG Application

We had an issue in one of the previous projects. The problem is that the html page getting generated has more white spaces and the resulting html size is too much. We can avoid this thing by modifying the deployment descriptor.

<init-param>
<param-name>trimSpaces</param-name>
<param-value>true</param-value>
</init-param>

Also we can use the following pattern to reduce white spaces alternatively in dsp pages.

<dspel:page
><dspel:droplet name=”/test”
><dspel:oparam name=”output”
>Name: <dspel:valueof param=”test”
/></dspel:oparam
></dspel:droplet
></dspel:page>

Another approach is to use JSP comments instead of new lines.

<dspel:page><%–
–%><dspel:droplet name=”/test”><%–
–%><dspel:oparam name=”output”><%–
–%>Name: <dspel:valueof param=”test”/><%–
–%></dspel:oparam><%–
–%></dspel:droplet><%–
–%></dspel:page>

NB:- I know the code fragments provided in the topics are very low in readability. Please blame WordPress….

Reference:
1. http://betweengo.com/2008/08/22/trim-white-space-from-jsp/
2. http://www.caucho.com/resin-3.0/jsp/faq.xtp

XSS – Cross Site Scripting Security Issue

Websites get complex day by day with lot of dynamic content to display. So the vulnerability is also proportionate. Cross Site Security Issue is one of them. Let me explain this in terms of what I had faced.

So in an e-Commerce site, we normally have an option to search. Now we search for a term say “ffddjkl” . There is no result associated with that search term. So we display a message indicating that similar to following.

There are no results associated with the term ffddjkl.

Now suppose you have given <EMBED SRC=”http://www.htmlcodetutorial.com/graphics/sounds/1812over.mid” AllowScriptAccess=”always”></EMBED>in the search text field. Obviously there is no results for this term. So we display the the above message, with the new search text. Here comes the vulnerability, when you get the search results page, the midi file gets started to play. So you get the security catch, right?

Here we use the following code segment to display the message.

<fmt:message key=”resourceBundleKey”>
<fmt:param value=”${param.searchText}”/>
</fmt:message>

To avoid the vulnerability, we should have something like this.

<fmt:message key=”resourceBundleKey”>
<fmt:param>
<c:out value=”${param.searchText}” escapeXml=”true”/>
</fmt:param>
</fmt:message>

When you have a tag that doesn’t allow you to set the value by tag body rather than by attribute, use the following.

<c:set var=”myEscapedVar” scope=”page”>
<c:out value=”${param.someRequestParameter}” escapeXml=”true”/>
</c:set>
<some:tag value=”${pageScope.myEscapedVar}”/>

For more information on XSS information, visit the http://www.cgisecurity.com/xss-faq.html
Reference: http://michaelstudman.com/fullfathomfive/articles/2004/05/31/el-and-cross-site-scripting-attacks-jsp-2-functions-to-the-rescue

Encryption in ATG

The Out of the box implementation uses the MD5 encryption algorithm.  Suppose we need to have some other encryption algorithm over MD5. My requirement was to add SHA-256 over the already encrypted value with MD5. The following are the changes I had done to get it done.

The component which does the encryption is DigestPasswordHasher. We need to override the encryptPassword() method.

The attached is the code fragment used . The copy and paste of the code seems weird. So I am attaching the file.

See it here.

ATG User Input Sample Code

The attached file contains the code for getting the user inputs. The jsp file gets the input from user in various forms.

1. Text field
2,. Checkbox
3. Dropdowns
4. Radio buttons

The zip file contains the FormHandler other than the jsp file.
Download it

Linux Help2 – File system

Read more about the file system here.
http://linuxconfig.org/Filesystem_Basics

Linux Help 1

My Windows Xp system had a virus attack. That was horrible. I lost all of my data.
So started thinking Linux as an alternative. As a first step I had ordered for free CD of Ubuntu. Do it here

The following are the the useful and interesting things I have come across.

Ubuntu Pocket Guide and Reference
http://www.ubuntupocketguide.com/index_main.html

Unique Penguin
http://www.100mb.nl/

Bash command index
http://www.ss64.com/bash/

Linux Crashed.( i know its rare, but it happened.)
Ctrl+Alt+Del won’t work.

Find and press Alt and PrtSc buttons together. Then type REISUB,while
holding the above two buttons. The system will restart.
http://en.wikipedia.org/wiki/Magic_SysRq_key

Security FAQ
http://www.linuxsecurity.com/docs/colsfaq.html

Software Directory for GNOME
http://www.gnomefiles.org/

Popular Live CD List
http://www.livecdlist.com/?pick=All&sort=Purpose&sm=0