wrote:
> With GWT, you are isolated to the following attack vectors -
>
> 1. Using native eval()
> 2. Using setInnerHTML() methods
> 3. Using non-gwt javascript code/thirdparty js libraries
> 4. XSS on the host html/jsp page
>
> Check-list to prevent XSS for GWT applications -
>
> - Don't EVER use eval() directly. There is hardly ever a need to use it.
> Remember - eval is evil.
... but note that JSONParser and JsonUtils *do* use eval() to "parse"
JSON.
This is being worked on though: http://gwt-code-reviews.appspot.com/86803/show
> - Avoid using setInnerHTML directly. UIBinder should take care of 80-90%
> of your use cases. When you must use it, be careful to html escape any data.
> Standard HTML encoding apply - refer to OWASP's xss
> cheatsheet<http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_...>for
> more information.
Ray Ryan talked about "Safe HTML" at I/O, which should be integrated
into GWT proper at some point in time, but for now can be found on the
WaveProtocol project:
http://code.google.com/p/wave-protocol/source/browse/src/org/waveprotocol/wave/client/common/safehtml/?repo=io2010
It's just a helper for building HTML fragments where some parts come
from untrusted sources.
> - Avoid using external JS. If you have to, use a trusted library, or be
> prepared to review the code
> - Use GWTs RPC - it will help you avoid XSS. If you cannot use RPC and
> are forced to use JSON/JSONP - use a safe JSON Parser. Search GWT forum -
> you will find a thread that discusses safe JSON Parsing. Additionally, the
> server that is generating JSON can take care to encode the data (this would
> need to follow javascript escaping rules described in OWASP's cheatsheet)
See above, I guess the JSONParser/JsonUtils improvements are targeted
at GWT 2.1
> - You will have to take care of encoding data to avoid XSS on the host
> html/jsp. This has nothing to do with GWT - and the techniques described on
> OWASPs website/Internet are good enough for this purpose.
>
> Additionally, you may want to read Security for GWT
> Applications<http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw...>-
> it introduces XSS and CSRF, and then explains what you can do to avoid
> them.
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment