Coding Exercise 5: Stripping HTML
Coding Exercise 5: Stripping HTML
- One common class of attack is to insert malicious code (often JavaScript) into input data in the hope that the data will end up somewhere that it can be executed
- Requires a lot of trial and error, but malicious users have lots of time
- Cleansing the request means checking for, and removing, data that could constitute
malicious code
Don't use plagiarized sources. Get Your Custom Essay on
Coding Exercise 5: Stripping HTML
Just from $15/Page
- Three techniques
Using a white or blacklist Stripping HTML
Checking for SQL code
EXERCISE
- The method in Fig 9-2 takes a string as input, and returns a string that is:
- Same as the input string if the input string does not contain any characters between the characters “<“ and “>”
- Same as the input string, but with the characters between the characters “<“ and “>” (both included) removed and replaced with “ <> “
- However, there is a bug in Fig 9-2. Spend a few minutes reading the code in Fig 9-2 and trace through the code using an example input string – see how the code behaves. This will help you figure out where the bug is and will give you a reference to write your own stripHTML method which you have to do next. Coding Exercise 5: Stripping HTML
- You will write code that is inspired from the code in Fig 9-2 to strip potential HTML tags from usernames and passwords that the user types into the banking application. Here are the changes you should make to UiServices.java
- Add a new method, called stripHTML, that does the following:
- Take as input a string
- Returns a string same as the input string if the input string does not contain the characters “<“ and “>”. For example, if the input string is job, the string returned by stripHTML should be job.
- Add a new method, called stripHTML, that does the following:
- Returns a sanitized string using the following logic: If the characters “<” and “> are seen in the input string, the code should remove the characters between the characters of < and > and return a sanitized string but also add the characters <> to the end of the sanitized string. For example, if the input string is jo<html>b, the sanitized string returned by the method should be job<>
- Then, modify your cleanseInput method so that it also calls stripHTML. Note now that the way you check the returned value from stripHTML is different because stripHTML returns a string and not a Boolean value. The method cleanseInput
should return TRUE if either blacklist characters or HTML are found in the input string, and FALSE otherwise. It should also print out a message if any blacklist characters are found, and another message if HTML is found.
- Finally, you need to modify the code in UiServices so that, the program repeatedly asks the user to enter the input if cleanseInput returns TRUE. If you have already done this in Exercise 4, you will not need to make further changes for this portion. Coding Exercise 5: Stripping HTML
