Raible Designs

Java Web Frameworks and XSS

In preparation for my talk at OSCON next week, I've been doing some research on cross-site scripting and how good Java web frameworks handle it. I'm disappointed to report that the handling of XSS in Java web frameworks is abysmal. First of all, the JSP EL doesn't bother to handle XSS:

With JSP 2.0 you can use the following to emit the description of a "todo" item:
${todo.description}
That's pretty nice. What happens when someone has entered a description like this?
<script type="text/javascript">alert('F#$@ you!');</script>
Well, it executes the JavaScript and pops up a nice little message to you.
...
My question is this: Why in the world did the expert group on the JSP 2.0 JSR decide to make not escaping XML content the default for EL expressions, when they made the opposite decision for c:out?

(Emphasis mine) If a company/developer wants to make sure their JSP-based code is not susceptible to XSS, they have two choices (as I see it):

• Do lots of code review to make sure <c:out> is used instead of ${}.
• Hack the jsp-compiler/el-engine to escape XML by default.

The good news is #2 doesn't seem to be that hard. I pulled down commons-el yesterday, added a hack to escape XML, re-jarred and put it in Tomcat 5.0.25's classpath. This actually worked and I was impressed it was so easy. However, when I looked at Tomcat 6, commons-el is no longer used and now there's a "jasper-el.jar" in the lib directory. I don't mind modifying another library, but what's the difference between jasper-el and commons-el?

Of course, the whole problem with JSP EL could be solved if Tomcat (and other containers) would allow a flag to turn on XML escaping by default. IMO, it's badly needed to make JSP-based webapps safe from XSS.

On a related note, there's a couple of web frameworks that I've found to be susceptible to XSS: namely Spring MVC and Struts 2. For Spring MVC, its <form:input> and <form:errors> tags are vulnerable. For Struts 2, OGNL expressions are evaluated, which is way worse than XSS and actually allows you to shutdown the JVM by putting %{@java.lang.System@exit(0)}" in a text field.

Even though it was surprising for me to see the issues with Struts 2 and Spring MVC, I'm somewhat glad they exist. If I hadn't discovered them, I might blissfully think that Java web frameworks aren't susceptible to XSS. However, it appears they're not only susceptible, but no one is really thinking about XSS when developing these framework. To further prove that theory, the Spring MVC and Struts 2 teams are aware of these issues, have been for quite some time - yet they've done nothing in the form of releasing upgrades or patches.

Seems kinda strange doesn't it?

Mountain View Tech Meetup

Like I mentioned a few weeks back, a few of us are going to get together this week for a tech meetup. Wednesday (tomorrow) looks like the best night for most. The only question is where? Please leave any suggestions in a comment. Most of the guys coming (so far) work in Mountain View, so it'd be nice to do something close by. 6:00 seems like a good time to start.

What is a tech meetup? It's a user group meeting w/o the meeting part. You go straight to the bar, grab some drinks, maybe some dinner, and talk tech.

Update: We have a location! The Blue Chalk Cafe in Palo Alto. Hope to see you there tomorrow at 6.

How popular is your web framework?

From the Struts user mailing list:

Since its release in June 2001, Apache Struts has become the most popular web framework for Java. Six years later, by any objective measure, Struts is still Java's most popular web framework.

In February and March 2007, the group released both Struts 1.3.8 and Struts 2.0.6 to the general public, and Struts downloads zoomed to over 340,000 a month from the Apache site alone. And this is just the tip of the iceberg. Most copies of Struts are downloaded from an network of mirrors or obtained from Maven repositories.

So how popular is Struts compared to the other heavy hitters like Spring and Hibernate? Spring has about 1/2 as many (80K) downloads in the same period and so does Hibernate. How do MyFaces, Wicket and Tapestry stack up? Here's their best download numbers in the past few months:

• MyFaces: ~12K (and that's only because of a rate 3-times-normal spike)
• Tapestry: ~12K
• Wicket: ~10K

Sorry JSF, you appear to be losing. Badly. This is an incorrect statement as pointed out by commentors. Thanks for keeping me honest guys.

Disclaimer: Yes, I realize that these statistics are not very accurate, especially considering Maven. Unfortunately, until Maven has repository download stats, this information is the best we've got.

Going to JavaZone

I'm pleased to announce that I'll be speaking at JavaZone this year in Oslo, Norway. It's been a couple of years since I've been to Norway, but I've been wanting to go back ever since I left. Not only is Oslo itself awesome, but the people really showed me a good time.

I just bought my tickets, so it's pretty much a sure thing at this point. Even better, like my trip to ApacheCon EU, I'm bringing along some family.

Good ol' Mom and Dad will be joining me - making it my Dad's 4th international trip this year (Tanzania, Panama, Amsterdam/Germany are the previous 3). That's pretty good considering Africa was his only business trip.

Our current plan is to fly in on Sunday, visit the ancestral homeland (Finland) for a couple of days, and then spend Tuesday - Friday (September 11-14) in Oslo. If you're going to JavaZone - I hope to see you there. If you have any suggestions on what we should see in Finland or Oslo, we'd love to hear your suggestions.

AppFuse 2.0 Status Update

It's been far too long since the release of AppFuse 2.0 M5. When we released that version, I fully expected to finish up RC1 a week or two later, and follow that with 2.0 Final a week later. Fast forward a month and a half, and there's still 38 issues left for 2.0 RC1. What happened?

Life got in the way.

There's probably less than 40 hours left to complete 2.0. I could say that I haven't had the time, but you all know that's a lie. Everyone has time. When someone says "I don't have time to do X right now", this really means "that's not on my priority list and I'm not going to make time to do it". So unfortunately AppFuse hasn't been on my priority list. Finding a new gig, vacationing with my family and buying a new mountain bike were on my priority list.

So if there's only 40 hours worth of work left, why didn't I just work a couple hours a day on it? Primarily because when I work on AppFuse it possesses me. I tend to get caught up in it and it's tough for me to concentrate on other things, especially work that I'm supposed to be doing during the day. Since I've had two new clients in the past few weeks, I've been aware of this and purposely stayed away from working on it.

The good news is things should settle down soon. I have a couple weekends on the horizon that look to be free, so hopefully I can crank it out and finish it up in the next month or so. As far as the project itself, there's plenty of users happily using the 2.0 milestone releases and there's still lots of traffic on the mailing list. It's crazy to think that the planning for AppFuse 2.0 started over a year ago and development started one year ago next month. If I knew it'd take this long, would I still have done it? Absolutely. I've never heard so many positive comments from users.

In other AppFuse News, Contegix has graciously donated an entire managed server to the project. We have licenses for the Atlassian Suite (JIRA, Confluence, Bamboo and Crowd) and will be moving/installing everything over the next week or so.

Thanks Contegix!

As anyone that uses them knows, they're simply the best hosting company in existence today. Their customer support and response time is incredible.

First Day at LinkedIn

Today was my first day onsite at LinkedIn in Mountain View, California. I'm very impressed by two things so far: they gave me a new MacBook Pro and Sushi is on tap for lunch tomorrow. Of course, there's a lot more impressive things going on there, but the new MacBook was today's highlight. The strange thing is I don't need one - I just got a new 17" a few months ago. Nevertheless, I received and configured a new 15" today. It's not the machine that impresses me, but the company's willingness to buy the best machines for its developers.

I was introduced to almost the entire company this morning, and I only saw one Windows machine in a sea of Macs. My favorite quote? "If the MacBook Pro isn't fast enough for you, we can see about getting you a Mac Pro." I like a company that knows what developers like and doesn't have a problem treating them well.

The last time I received a new computer as part of a contract or full-time position? I believe that was way back in 2002. Working at LinkedIn seems like a developer's paradise. Does your company provide new MacBook Pros and Cinema Displays to its developers?

DSL at The Cabin

Believe it or not, I'm actually writing this entry on a high-speed DSL connection from The Cabin in Montana. The service is provided by Blackfoot and the speeds are quite good (768k/384k). We're "off the grid" as far as power goes, but we're not on the grid for communications. My dad's got a pretty elaborate generator-to-battery system setup up here, so as long as the DSL modem has power - the cabin has broadband!

Bike to Work Day

Today is Bike to Work Day in Denver. I rode my bike into The Hive this morning. It was a perfect morning for a ride - overcast and cool, with the sun just starting to poke out as I approached downtown. Unfortunately, I didn't realize all the festivities were at Civic Center Park, so I didn't win any prizes, get any breakfast or drink any free coffee. Oh well, maybe they'll have free beer somewhere on the ride home...

Want a kick-ass Java Job in Boulder?

Do you know AppFuse well? Want a job in Boulder, Colorado?

I met with a couple of guys from Morphlix last week - they're using AppFuse as a base for building a new video distribution system - like Netflix, only a lot better. They're building up their team and looking for ace back-end and UI developers. If you're interested, drop them a line via [email protected].

Why do I mention this here? Because it sounds like an awesome company to work for. They're in startup mode and, from the sounds of their business plan - destined for success. Who knows, I may even join them after I get done with the LinkedIn gig.

JA-SIG Keynote: Comparing Java Web Frameworks

This morning I did my first keynote at the JA-SIG Summer Conference in Denver. My talk was on Comparing Java Web Frameworks. I told attendees I'd post it here afterwards, so here it is:Download Comparing Java Web Frameworks Presentation (1.1 MB)

In addition, I mentioned my Java Web Frameworks Sweetspots Whitepaper.

Will I be comparing web frameworks at conferences for the rest of my life? Possibly. I've been submitting 2-3 proposals to conferences and it's the only one that keeps getting selected. I'll be delivering it at OSCON, JavaZone, Colorado Software Summit and ApacheCon US.

The Colorado Software Summit wants to have an original presentation - so I may need to drop a framework or two and add in Seam, Grails and GWT. If you are planning on attending one of these talks, which frameworks would you like to see compared?

Related: Comments after I delivered this presentation at ApacheCon EU.