On Tue, Oct 30, 2012 at 9:53 AM, Jose María Zaragoza
<[email protected]>wrote:
> public void print(String message)
> {
> widget.setHTML(message)
> }
>
> this.print("<br>This is an error</br>");
> this.print("<br>This is another error</br>");
>
This code is fine. The risk comes from if you have something like
this.print(user.getName());
and a user sets their name to "<script>alert(1)</script>". But if you look
at either the print() function implementation or any of the callers in
isolation, it's not clear that there's an issue. It's only if you look at
the whole application at once that you can realize there's an issue.
This is also the motivation for GWT's SafeHtml libraries. When used
correctly, it makes it easier to security review GWT code without needing
to double check whether any given function treats its string arguments as
plain text or HTML.
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
