Spartan Java

Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.

Such a function can be as simple as:

1
2
3
4
5
6
7
8
9
10

private String cleanParameter(String value) {
   if (value != null) {
      value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
      value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");
      value = value.replaceAll("'", "&#39;");
      value = value.replaceAll("eval\\((.*)\\)", "");
      value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
   }
   return value;
}

This will escape/remove potentially dangerous Javascript code and HTML/XML tags.

You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.

Sounds like it should be quite straightforward, right? Well, it is, but for some reason it took me more than a few minutes (maybe I need to get more sleep :P). Anyway, to view Androids emulator log from Eclipse go to Window / Show View / Other… / Android / LogCat

The Google folks were kind enough to include a version of the Apache HTTP Client in the Android SDK, ergo loading a web resource/page from our Android apps is really simple:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

HttpClient httpClient = new DefaultHttpClient();
HttpContext localContext = new BasicHttpContext();
HttpGet httpGet = new HttpGet("http://www.spartanjava.com");
HttpResponse response = httpClient.execute(httpGet, localContext);
String result = "";
 
BufferedReader reader = new BufferedReader(
    new InputStreamReader(
      response.getEntity().getContent()
    )
  );
 
String line = null;
while ((line = reader.readLine()) != null){
  result += line + "\n";
}
 
// Now you have the whole HTML loaded on the result variable

Someone asked me about the implementation details of the Google Appengine sample I published a few weeks ago (http://obovweb.appspot.com/). Well, you can get a hold of the source code here.

There’s not much to tell, apart from the specific HMAC-SHA1 implementation (which you can check out in Obovs source code) it’s a very simple JSP/DWR application.

I find it quite annoying when I can’t post/confirm a web form using the Enter key.

Here is a nifty little javascript trick to do it when you do not need/want a submit input in your html.
(continue reading…)

It’s really annoying to run something interactively on MS Windows when you know deep inside it should be an OS Service. Doing this on a *nix system is quite simple (most of the times you just need to write a short shell script), but on MS Windows it’s not so easy.
(continue reading…)

Ever since the very first time I used a properties file in Java I’ve wanted to be able to reload it upon a sysadmin request or some other circumstance without having to reload the whole application, reset the application server or use some dark proprietary Sun APIs. Well, finally in Java 1.6 we can do it!!
(continue reading…)

I recently had to load a bunch of objects into memory and then perform thousands of look-ups over that collection. Using the good old java.util.ArrayList just didn’t cut it, the contains() function is extremely slow (as you would guess of course since this implementation stores elements as they are inserted and without any aditional indexing structure).
(continue reading…)

The best tool I’ve found so far to serialize POJOs to JSON (and back again) is XStream, it’s automatic, simple and elegant, check it out.

I recently faced the problem of encrypting something in PHP and decrypting it using Java, this proved to be a little more of a challenge than what it initially seemed like. (continue reading…)