Stripes framework: how can I disable string escaping in forms

Question

I'm using the stripes framework to realize a web application. In order to avoid all sorts of attacks, text is stored sanitized into the DB and the sanitization process includes encoding of HTML entities.

My problem shows up when I make a form with stripes. When the form starts out empty everything is fine. However, when the user had previously entered something is this form, and that the existing values are fetched from the DB, set in the action bean and then displayed by the stripes form tags, stripes escapes it again. This results in a double escaping of my string.

Is there anyway I can tell stripes that I know what I'm doing and the string I'm giving you is already escaped?

Answer 1

It seems the best solution is just not to use stripes for the problematic fields. If in your jsp you replace, for example :

<stripes:textarea name="userEntryComment"/>

with

<textarea name="userEntryComment">${actionBean.userEntryComment}</textarea>

Thenexcept stripes is not called at all to generate the HTML of the second version. Also since in this case we do not use the <c:out> tag, the String is not re-escaped.

Answer 2

The encoding en decoding of HTML entities is handled by Stripes, so there really is no need to store encoded HTML entities in the database. Just remove the encoding of HTML entities from your sanitization process and Stripes will handle the data securely.

There is another point to make: it can be considered a bad practice to store model data (MVC model!) in a presentation format like HTML. And HTML entities are of course also HTML formatted data. They will limit/hinder your usage of the data when doing all sorts of other stuff, like searching, sending text e-mail, etc. etc.