Tuesday, October 30, 2012

Re: setHTML example , unsafe ?


On Tuesday, October 30, 2012 6:04:45 PM UTC+1, Matthew Dempsky wrote:
On Tue, Oct 30, 2012 at 9:53 AM, Jose María Zaragoza <demab...@gmail.com> wrote:
public void print(String message)
{
   widget.setHTML(message)
}

this.print("<br>This is an error</br>");
this.print("<br>This is another error</br>");

This code is fine.  The risk comes from if you have something like

    this.print(user.getName());

and a user sets their name to "<script>alert(1)</script>".  But if you look at either the print() function implementation or any of the callers in isolation, it's not clear that there's an issue.  It's only if you look at the whole application at once that you can realize there's an issue.

This is also the motivation for GWT's SafeHtml libraries.  When used correctly, it makes it easier to security review GWT code without needing to double check whether any given function treats its string arguments as plain text or HTML.

Not sure <script>alert(1)</script> would be "at risk" here, as browsers generally (I said generally, I'm sure there are exceptions, IE maybe?) don't execute <script>s on assigning innerHTML; but there are things like onclick="alert(1)", <img src="http://vilain">, <img src="neverland" onerror="alert(1)">, <iframe style="position:absolute;top:0;left:0;bottom:0;right:0;" src="http://vilain"></iframe>, etc.

SafeHtml and SafeStyles solve the "primitive obsession" anti-pattern: http://c2.com/cgi/wiki?NoStrings

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/S--9PXzMLPcJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment