Here is an update on my current approach. I have created a servlet filter that inspects each request. I use a HttpServletRequestWrapper to get the request body. The filter checks the request's content type for the "text/x-gwt-rpc" string and then does a regular expression check on the request body to detect html script tags.
Best, -- Thomas On Jun 11, 4:18 pm, tamsler <[email protected]> wrote: > I am trying to figure out what the best way is to handle JavaScript > injection cases. Since any client side input validation handling > doesn't truly prevent one from injecting JS such as using tools like > Firebug to re-post RPC calls etc. > > I am wondering if anybody has attempted to intercept JS injection on > the server side by "scanning" RPC calls . I could imagine using a > servlet filter to do this or or some other way. > > Any ideas/feeback is greatly appreciated. > > Best, > -- Thomas Amsler --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
