[gwt-contrib] Adds best practice XSS safety to DynaTable.

Tue, 12 May 2009 21:24:57 -0700 

Reviewers: jlabanca,

Description:
No exploit here, but it's generally bad to trust that server error
messages will be free of user supplied data. In fact, it's an error
we've been known to make:
http://code.google.com/p/google-web-toolkit/issues/detail?id=3637

In this case, there is no reason to handle the server error message as
HTML.

Please review this at http://gwt-code-reviews.appspot.com/33811

Affected files:
    
samples/dynatable/src/com/google/gwt/sample/dynatable/client/DynaTableWidget.java


Index:  
samples/dynatable/src/com/google/gwt/sample/dynatable/client/DynaTableWidget.java
===================================================================
---  
samples/dynatable/src/com/google/gwt/sample/dynatable/client/DynaTableWidget.java
        
(revision 4142)
+++  
samples/dynatable/src/com/google/gwt/sample/dynatable/client/DynaTableWidget.java
        
(working copy)
@@ -1,5 +1,5 @@
  /*
- * Copyright 2007 Google Inc.
+ * Copyright 2009 Google Inc.
   *
   * Licensed under the Apache License, Version 2.0 (the "License"); you may  
not
   * use this file except in compliance with the License. You may obtain a  
copy of
@@ -60,9 +60,13 @@ public class DynaTableWidget extends Composite {
        hide();
      }

-    public void setBody(String html) {
+    public void setBodyHtml(String html) {
        body.setHTML(html);
      }
+
+    public void setBodyText(String text) {
+      body.setText(text);
+    }
    }

    private class NavBar extends Composite implements ClickHandler {
@@ -160,10 +164,12 @@ public class DynaTableWidget extends Composite {
        }
        if (caught instanceof InvocationException) {
          errorDialog.setText("An RPC server could not be reached");
-        errorDialog.setBody(NO_CONNECTION_MESSAGE);
+        errorDialog.setBodyHtml(NO_CONNECTION_MESSAGE);
        } else {
          errorDialog.setText("Unexcepted Error processing remote call");
-        errorDialog.setBody(caught.getMessage());
+        // Some times error messages have user input in them, so we play
+        // it safe and set this message as text instead of HTML.
+        errorDialog.setBodyText(caught.getMessage());
        }
        errorDialog.center();
      }




--~--~---------~--~----~------------~-------~--~----~
http://groups.google.com/group/Google-Web-Toolkit-Contributors
-~----------~----~----~----~------~----~------~--~---

Reply via email to