Escape HTML characters being displayed from the DB

cis498-g4 / GuestBook

Guest book and feedback system for events

1 stars 1 forks source link

Escape HTML characters being displayed from the DB #35

Closed mikemolenda closed 7 years ago

mikemolenda commented 7 years ago

This prevents cross-site scripting. Currently, if a user's email address is added to the database with a script like '", it will run the script when retrieved. See: http://bit.ly/2qDLDDW

mikemolenda commented 7 years ago

5/8/17 Added org.apache.commons.lang3.StringEscapeUtils.escapeHtml4() to all getString data access statements in

AttendanceDataAccess.setAttributes()
EventDataAccess.setAttributes()
SurveyDataAccess.setAttributes()
UserDataAccess.setAttributes() Did not apply to UserDataAccess.getUserPasswordHash