Categories
discuss

Is escaping < and > sufficient to block XSS attacks?

I’m sure that the answer to this question is No, but I can’t seem to find a way that simply transforming < and > to &lt; and &gt; doesn’t completely block reflected and persistent XSS.

I’m not talking about CSRF.

If this doesn’t block XSS, can you provide an example of how to bypass this defence?

Answer

When using an untrusted string in an attribute (quoted with ") you need to escape " as &quot.

Otherwise you could easily inject javascript. For example, <a href="{{str}}"> with str being, for example, " onmouseover='something-evil'".

Categories
discuss

What is the best way to deploy a Java desktop application to multiple platforms?

I’m writing a Java application intended to run on the desktop, which will use Swing for its UI. I’m familiar with Java Web Start, but have heard that it can be cumbersome and buggy.

What tools are available to make it easier to deploy Java applications to multiple platforms? I’m particularly looking for freely available tools, or at least tools that are free for use with open source projects.

edit: I should clarify that this is for a peer-to-peer application that will predominantly run in the background, and should (optionally) be able to start automatically on Windows, Mac, and Linux.

edit2: I should further clarify that this app is intended to operate in countries where the government may censor our website. As such, its important that it can be distributed as a stand-alone file, rather than something that must be downloaded from a known website.

Answer

Java Web Start is currently the best technology for platform independent centrally controlled distribution of Java programs.

With the update of JWS in Java 6u10 things were improved quite a bit – previously especially caching was a problem.

We have found that by ensuring unique URL’s to the jar files for each new release instead of reusing them, the cache problems almost went away.

Categories
discuss

Find location of a removable SD card

Is there a universal way to find the location of an external SD card?

Please, do not be confused with External Storage.

Environment.getExternalStorageState() returns the path to the internal SD mount point, such as /mnt/sdcard. But the question is about the external SD. How do I get a path like /mnt/sdcard/external_sd (it may differ from device to device)?

I guess I will end with filtering of the output of the mount command by filesystem name. But I’m not sure this way is robust enough.

Answer

Environment.getExternalStorageState() returns path to internal SD mount point like “/mnt/sdcard”

No, Environment.getExternalStorageDirectory() refers to whatever the device manufacturer considered to be “external storage”. On some devices, this is removable media, like an SD card. On some devices, this is a portion of on-device flash. Here, “external storage” means “the stuff accessible via USB Mass Storage mode when mounted on a host machine”, at least for Android 1.x and 2.x.

But the question is about external SD. How to get a path like “/mnt/sdcard/external_sd” (it may differ from device to device)?

Android has no concept of “external SD”, aside from external storage, as described above.

If a device manufacturer has elected to have external storage be on-board flash and also has an SD card, you will need to contact that manufacturer to determine whether or not you can use the SD card (not guaranteed) and what the rules are for using it, such as what path to use for it.


UPDATE

Two recent things of note:

First, on Android 4.4+, you do not have write access to removable media (e.g., “external SD”), except for any locations on that media that might be returned by getExternalFilesDirs() and getExternalCacheDirs(). See Dave Smith’s excellent analysis of this, particularly if you want the low-level details.

Second, lest anyone quibble on whether or not removable media access is otherwise part of the Android SDK, here is Dianne Hackborn’s assessment:

…keep in mind: until Android 4.4, the official Android platform has not supported SD cards at all except for two special cases: the old school storage layout where external storage is an SD card (which is still supported by the platform today), and a small feature added to Android 3.0 where it would scan additional SD cards and add them to the media provider and give apps read-only access to their files (which is also still supported in the platform today).

Android 4.4 is the first release of the platform that has actually allowed applications to use SD cards for storage. Any access to them prior to that was through private, unsupported APIs. We now have a quite rich API in the platform that allows applications to make use of SD cards in a supported way, in better ways than they have been able to before: they can make free use of their app-specific storage area without requiring any permissions in the app, and can access any other files on the SD card as long as they go through the file picker, again without needing any special permissions.

Categories
discuss

Jsf Error : java.lang.ClassCastException

i am using jsf 2.0 on glassfish 3.0.1 to build an interface to my search engine , when i used Openfaces components on my jsf page and whenever i submit a form i get this error message :

java.lang.ClassCastException: [Ljava.lang.Object; cannot be cast to com.sun.faces.application.view.StateHolderSaver

i didnt find any help on the web , please what is the problem ? and how to get rid of it ?

thanks.

Answer

This is known as JSF issue 1427. Partial state saving may fail when ajax requests are fired on a page which is been opened by a JSF POST navigation case. There are three solutions, in recommended order:

  1. Do not use POST for page-to-page navigation. So replace <h:commandLink> by <h:link> or <h:outputLink>. See also h:outputLink vs h:commandLink.

  2. Implement POST-Redirect-GET pattern. So if you’re still using old fashioned <navigation-case> in faces-config.xml, then add <redirect/> entry. Or if you’re using implicit navigation outcomes, then add ?faces-redirect=true query string to the outcome.

  3. Configure the problematic pages to utilize full state saving.

    <context-param>
        <param-name>javax.faces.FULL_STATE_SAVING_VIEW_IDS</param-name>
        <param-value>/pagename.xhtml</param-value>
    </context-param>
    

    (multiple pages can be definied using comma as separator)

Categories
discuss

How to place an Admob ads bottom center of the screen?(Using java code to place.)

I used this code to place my admob ads, but these code will show the ads on top left of the screen, How to place the ads bottom center of the screen? please help 🙂

mAdView = new AdView(this, AdSize.BANNER, "xxxxx");
FrameLayout layout = (FrameLayout)findViewById(R.id.game_layout);
layout.addView(mAdView);
FrameLayout.LayoutParams adsParams = new FrameLayout.LayoutParams(LayoutParams.);
mAdView.setGravity(Gravity.BOTTOM);
mAdView.loadAd(new AdRequest());

Answer

The Height and Width layout Params for the FrameLayout should be FILL_PARENT. By Default it consider the height layout Param as WRAP_CONTENT and because of that even you have set the GRAVITY to BOTTOM your ads displayed on TOP. SET the Layout Params as I said.

Source: stackoverflow
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Privacy Policy, and Copyright Policy. Content is available under CC BY-SA 3.0 unless otherwise noted. The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 © No Copyrights, All Questions are retrived from public domain..