In order to prevent various attacks, you have to check for much more
than just script tags. For example, the following can cause javascript
to be interpreted and would get by a <script> filter:
<input type="image" src="javascript:alert('send help. stuck in a
dom');">
Therefore, you really need to be explicit about which strings are and
aren't dangerous. Anything provided by a user is potentially dangerous
and should be escaped (using SafeHtmlUtils.fromString(String)). If you
want a small amount of markup in user-provided strings (e.g., not
everything is escaped, tags such as <b> are allowed), you can take a
look at SimpleHtmlSanitizer.sanitizeHtml(String).
For more information, please check out:
http://code.google.com/webtoolkit/doc/latest/DevGuideSecuritySafeHtml.html
Philip
On Dec 2, 9:22 am, Ed <post2edb...@gmail.com> wrote:
> I like the new SafeHtml functionality.
> However, how can I best check if a string that I inject in a div
> (example: HTML.setHTML(html)) contains script?
>
> I now have made simple checks, like checking for the <script (<SCRIPT)
> tag, but that's very fragil and little as you also have the click
> events that can be set on an element, etc...
>
> The SafeHtml code escapes all the html tags, which I don't want. i
> only want it to escape the "dangerous" piece of texts. How to do this?
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment