Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    XSS Vulnerability

    Hi,

    I am using Smart GWT 2.4. I have the following code that sets a label,

    Label loggedOn = new Label("Logged on as : " + UserSession.getInstance().getUserName());

    UserSession is a POJO populated with XML coming back from the server. However, if I put some script for the user name, the Javascript is executed on the browser. I notice similar issues with ListGrid as well.

    Is this expected to be handled transparently by SmartGwt?

    #2
    GWT handles it properly. The issue seems to be in some of the SmartGwt components like labels, list grid etc.

    The following code works fine

    com.google.gwt.user.client.ui.Label label = new com.google.gwt.user.client.ui.Label("<scripy>alert('Hi, there')</script>");
    RootPanel.get("tabContainer").add(label);

    However, the following code seems to fail on XSS

    com.smartgwt.client.widgets.Label label = new com.smartgwt.client.widgets.Label("<script>alert('Hi, there')</script>");
    RootPanel.get("tabContainer").add(label);

    Comment


      #3
      These are not XSS vulnerabilities and neither GWT nor SmartGWT "transparently" handles XSS, although SmartGWT does a lot more for you because of it's server-side support.

      On your specific example, any other XSS attack (JavaScript event handlers, iframes, etc) works in a GWT Label, the fact that a <script> block in particular doesn't execute is just a quirk of how the GWT Label renders and not a security feature. So you need to quote the HTML placed in either GWT or SmartGWT containers.

      In a nutshell, with SmartGWT:

      1. decide for any text field whether HTML-special characters are allowed

      2. if not allowed, define a validator that prevents them. This enforcement takes place client & server from the single definition in the .ds.xml file

      3. if HTML-special tags are allowed and never intended to be active, set field.escapeHTML to cause all DataBoundComponents (ListGrid, DynamicForm etc) to escape the field value with a single setting

      You still need to manually escape for situations like displaying a data value directly in a Label rather than going through a DataBoundComponent, and there are more nuances if you want to allow specific HTML tags in user content (eg <b> tags in messages in a forums application). But the above is the big picture for typical fields.

      Comment


        #4
        Thanks for the quick response.

        Is escapeHtml a method on ListGrid, DynamicForm etc?

        Kind regards
        Meeraj

        Comment


          #5
          It's not a method, it's a setting on a DataSourceField (escapeHTML="true").

          Comment


            #6
            Hi,

            One of the things I noticed was if I have data content "<script>alert('Hi')</script>", it triggers the script execution on Labels and ListGrids. However on DynamicForm fields they get displayed properly without triggering script execution.

            Thanks

            Comment


              #7
              We just explained this: set escapeHTML="true". Are you using an older version? We recently made this into a single setting at the DataSource level whereas you needed to set it specifically on some components before. Grab the latest build for the easier, single setting: smartclient.com/builds.

              Comment


                #8
                Thanks.

                I am using 2.4 from the Maven central repo. Do I set escapeHTML=true, using the setAttribute method call on the relevant Widget call or is there another API to do it?

                Kind regards
                Meeraj

                Comment


                  #9
                  Hi,

                  I have downloaded the latest nightly build.

                  1. I can see the setEscapeHTML method on the ListGridField
                  2. I don't see it on other classes like DetailViewerField, ComboBoxItem etc

                  Also, what is the implication on setting this on editable combo boxes, where the contents are filtered when the user types the value in? Because of the escaping would there be a mismatch between what the user is typing in and the actual data held by the ComboBox, or is the escaping done only at the point of rendering?

                  Comment


                    #10
                    I have tested setEscapeHTML on ListGridItem and it works well. However, I have a ComboBoxItem that contains unsafe data. I did setAttribute("escapeHTML", true) on the ComboBoxItem. However, when I start typing in the matching characters into the ComboBox the script in the unsafe data executes.

                    Comment


                      #11
                      Also, the escaping doesn't seem to work on DetailViewerField

                      Comment


                        #12
                        If you're not seeing the API in all of those places, you may have downloaded the wrong thing or not installed it correctly. Go to smartclient.com/builds to download, and installation instructions are here.

                        As far as ComboBoxItem, where are you typing and what's happening? Typing in the text field provided by the ComboBoxItem obviously does nothing.

                        Note also, it's not an XSS vulnerability unless you can *save it* and have *another user* execute it. A user can always execute code themselves via the URL bar if nothing else. Wikipedia has a good article on this if you want some background.

                        Comment


                          #13
                          Originally posted by Isomorphic
                          If you're not seeing the API in all of those places, you may have downloaded the wrong thing or not installed it correctly. Go to smartclient.com/builds to download, and installation instructions are here.
                          Ok, I downloaded 2011-05-12 and I can see a later build 2011-05-13, I will try that, thanks.

                          Originally posted by Isomorphic
                          As far as ComboBoxItem, where are you typing and what's happening? Typing in the text field provided by the ComboBoxItem obviously does nothing.
                          I have an item change handler that dynamically sets the value map calling a REST service based on what the user has typed in. However, if the data that is returned contains any unsafe data (like <script>alert('hi')</script> for eg), the scrip executes on the browser and pops the alert box, when the value map is set.

                          Originally posted by Isomorphic
                          Note also, it's not an XSS vulnerability unless you can *save it* and have *another user* execute it. A user can always execute code themselves via the URL bar if nothing else. Wikipedia has a good article on this if you want some background.
                          I understand, in fact we have had a hard time in the past number of months chasing XSS and CSRF bugs on systems, and getting them inline with the OWASP guidelines.

                          Anyway, what you suggest is exactly what happens. One user can save some unsafe data, and when that data is displayed back without escaping, the scrip executes on the browser. Calling setEscapeHTML seems to solve this for ListGridItem. However, on editable combo boxes, doing a live search and filter, the escaping tampers with the functionality. For eg, the user may type in <script> and the server returns all data matching <script>. However, if we do the escape on the data set on the value map, what goes in is &lt;script&gt;. This means the client side filtering never works as what is typed in by the user doesn't match what is in the underlying data model. I was hoping I could just do the escaping on the panel beneath the combo box (the one which pops down) so that the script doesn't execute in case of unsafe date.

                          Once again, many thanks for your help
                          Kind regards
                          Meeraj

                          Comment


                            #14
                            A valueMap is generally used for a short statically defined enumeration, not user-entered data. An optionDataSource allows you to connect a ComboBoxItem to dynamic, user-entered data. Because there's a DataSource definition involved, escapeHTML can be set on the relevant fields, and they will be escaped when displayed while the search still operates on the underlying field values.

                            If you haven't already found it, for cases where you need manual escaping, there's StringUtil.asHTML().

                            Comment


                              #15
                              ok, with the latest build, I can get setEscapeHTML to work with ListGridField and DetailViewerField, which is very promising. Please see the attached screenshot. I need to try out the suggested ComboBoxSolution.

                              Also, some unrelated aspect that was working for the previous build has stopped working with the latest build. I need to do some digging.

                              BTW, how stable is the nightly build. Is there going to be a 2.5 release soon?

                              Many thanks
                              Kind regards
                              Meeraj
                              Attached Files

                              Comment

                              Working...
                              X