Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Text input boxes and XSS safety

    Hello there,

    I have a question to text input boxes (such as TextItem, PasswordItem, TextAreaItem, ComboBoxItem, ...). In order to secure my web application against XSS attacks, I use consistently GWTs SafeHTML. But now for some input boxes the strings must remain unchanged (e.g. passwords). That is, if the user chooses a randomly password that contains HTML this should not be escaped, but remain as it is.

    This leads to the question whether the text fields are always safe against XSS attacks in SmartGWT, so you can fill it with any content without any unintended JavaScript execution?
    Or can the desired behavior be achieved by setting any properties?

    Greetings

    Andre
    Tags: None
    #2
    Hi Andre,

    did you already see escapeHTML?

    Best regards
    Blama

    Comment

      #3
      Hello Blama,

      thanks for your answer.

      Escaping unfortunately does not help me, because it changes the original string.

      See the following example: I read a value from a database and show it to the user. He changes the value arbitrarily. Thereafter, it is again written to the database. Now if I use escaping, during writing back I can no longer distinguish whether certain parts of the string caused by the escaping or caused by the user who has entered it in such a way.

      Should, for example, the password "<secret" be displayed then the escaping changes it to "&lt;secret". Now the user adds the substring "123". Then unfortunately "&lt;secret123" is written back (and not "<secret123").

      Reversing the escaping, unfortunately also does not work, because the user may have added "123&lt;" as well, which then unintentionally will be changed to "<secret123<".

      Kind regards,

      Andre

      Comment

        #4
        Hi Andre,

        I'm pretty sure this just works, because that's what escaping is for. Did you try this already? Display a value, change it, store it back? It should not matter if pwd or something else.

        Best regards
        Blama

        Comment

          #5
          Hello Blama,

          you're right. I have not used escapeHtml yet, because unfortunately I cannot use data-bound components in my project (I have no control over the server side). Is there a similar property for the simple FormItems (TextItem, TextAreaItem, …), which meets the requirements described above?

          Kind regards

          Andre

          Comment

          Previous template Next
          Working...
          X