> With GWT, you are isolated to the following attack vectors -
> 1. Using native eval()
> 2. Using setInnerHTML() methods
> 4. XSS on the host html/jsp page
> Check-list to prevent XSS for GWT applications -
> - Don't EVER use eval() directly. There is hardly ever a need to use it.
> Remember - eval is evil.
... but note that JSONParser and JsonUtils *do* use eval() to "parse"
This is being worked on though: http://gwt-code-reviews.appspot.com/86803/show
> - Avoid using setInnerHTML directly. UIBinder should take care of 80-90%
> of your use cases. When you must use it, be careful to html escape any data.
> Standard HTML encoding apply - refer to OWASP's xss
> more information.
Ray Ryan talked about "Safe HTML" at I/O, which should be integrated
into GWT proper at some point in time, but for now can be found on the
It's just a helper for building HTML fragments where some parts come
from untrusted sources.
> - Avoid using external JS. If you have to, use a trusted library, or be
> prepared to review the code
> - Use GWTs RPC - it will help you avoid XSS. If you cannot use RPC and
> are forced to use JSON/JSONP - use a safe JSON Parser. Search GWT forum -
> you will find a thread that discusses safe JSON Parsing. Additionally, the
> server that is generating JSON can take care to encode the data (this would
See above, I guess the JSONParser/JsonUtils improvements are targeted
at GWT 2.1
> - You will have to take care of encoding data to avoid XSS on the host
> html/jsp. This has nothing to do with GWT - and the techniques described on
> OWASPs website/Internet are good enough for this purpose.
> Additionally, you may want to read Security for GWT
> it introduces XSS and CSRF, and then explains what you can do to avoid
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to firstname.lastname@example.org.
To unsubscribe from this group, send email to email@example.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.