Spring data CRUD methods

Question

We use spring data, the whole point of which is to be able to just use the provided interfaces (such as eg CrudRepository) and not have to actually implement stuff.

We have realized that we need to take steps to make sure that our app:

• escapes illegal HTML characters such as & < > " ' from input
• has protection against sql injections

and to me the most logical place do to that would seem to be somewhere high up in the generic db methods that all our repos share. But since they are not implemented anywhere in our code I dont know if this already implemented in spring data or not.

Answer 1

You seem to be mixing two very different concerns here, so let's discuss them separately:

1. The protection against SQL injection is to be found in the corresponding SQL-ish spring-data implementation: JDBC or JPA; so you shouldn't need to worry about it. The generic API doesn't expose anything related to this simply because it's generic and "SQL injection" sounds really weird when you're using HBase, for instance.

2. Escaping HTML stuff is a whole different thing since it's a concern of your presentation layer, not your data layer. So you can either escape the input at validation time, before sending it to the repository or sanitize the output afterwards, when you want to display stored data in the UI.

As a note, HTML is just one of the formats your data can be delivered as. If you later on need to also produce JSON or CSV, you will end up mixing escapes for different formats in the database. This is an obvious reason why escaping is not part of the DAO layer and why output sanitization is the safe way to go here.

Answer 2

To address your concerns about escapes illegal HTML characters such as & < > " ' from input

You should consider using:

org.apache.commons.lang.StringEscapeUtils.escapeHtml(str) 

in your service layer

for more information about this class, see StringEscapeUtils JavaDocs