Hey folks, I am a relative noob to GWT and have been looking at it from a security code review perspective. I want to create a set of guidelines for people who have to review GWT code from a security perspective looking for vulnerabilities.
I have read and understood : http://www.gwtproject.org/articles/security_for_gwt_applications.html I have also implemented the StockWatcher application by following the tutorial. In trying to introduce vulnerabilities that I could exploit as a demonstration for what to look for I have failed. My understanding after reading the article on GWT security was that if tainted data is set using setHTML() or setInnerHTML() on a client widget it will be suceptable to XSS. I found the HTML() widget to contain a setHTML() routine that took a String and not SafeHTML and set its value to contain a variety of standard XSS exploits such as <script>alert(1);</script>. It does not produce the expected results. It seems to me that there is a black list or further escaping that happens underneath the covers. Is it that I am simply out "popping" out to the right context or is GWT truly immune to XSS. What should someone performing code review on a GWT app. be looking for ? Thanks, Kurt -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
