Thanks Thomas, That was helpful. I tried the img tag and it did work. What you're seeing here is browser "sanitization" from innerHTML (not > sanitization actually, just that the <script> are not run). Try with <img > onerror="alert(1)" src="//"> or similar (onclick, etc.) > > >> What should someone performing code review on a GWT app. be looking for ? >> > > Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not > (HasHTML#setHTML is one such things) >
-- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
