Tuesday, October 30, 2012

Re: setHTML example , unsafe ?

On Tue, Oct 30, 2012 at 9:53 AM, Jose María Zaragoza <demablogia@gmail.com> wrote:
public void print(String message)
{
   widget.setHTML(message)
}

this.print("<br>This is an error</br>");
this.print("<br>This is another error</br>");

This code is fine.  The risk comes from if you have something like

    this.print(user.getName());

and a user sets their name to "<script>alert(1)</script>".  But if you look at either the print() function implementation or any of the callers in isolation, it's not clear that there's an issue.  It's only if you look at the whole application at once that you can realize there's an issue.

This is also the motivation for GWT's SafeHtml libraries.  When used correctly, it makes it easier to security review GWT code without needing to double check whether any given function treats its string arguments as plain text or HTML.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment