Hey guys, Most security papers I've read on the topic of XSS prevention suggest escaping untrusted strings in a context-sensitive way in server side templating languages. However I sense that it's different with GWT (and any other JS applications) in that received data from a data source can be used in so many different ways before, during, and after it is inserted in the page. This is particularly true when your GWT application is simply hitting a data source for JSON or XML.
For this reason, it seems like best practice would be to escape in your JS/GWT app immediately before writing untrusted data into a particular context (javascript, attribute, etc). But at the same time, I don't like the idea of possibly dangerous strings buzzing around in the browser memory of my clients, waiting for me to forget escaping a string before writing it to the DOM. What effective approaches have you taken with your GWT and JS applications to protect against XSS? Thankee kindly! -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
