Maybe Matthew Dempsky can comment, but I believe there's an error-prone plugin that handles checking for XSS in GWT and bad use of SafeHtml/setHTML.
On Tue, Jan 28, 2014 at 12:05 PM, Kurt Dmello <[email protected]> wrote: > Thanks Thomas, > That was helpful. I tried the img tag and it did work. > > > What you're seeing here is browser "sanitization" from innerHTML (not >> sanitization actually, just that the <script> are not run). Try with <img >> onerror="alert(1)" src="//"> or similar (onclick, etc.) >> >> >>> What should someone performing code review on a GWT app. be looking for ? >>> >> >> Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not >> (HasHTML#setHTML is one such things) >> > -- > http://groups.google.com/group/Google-Web-Toolkit-Contributors > --- > You received this message because you are subscribed to the Google Groups > "GWT Contributors" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
