On Tuesday, October 30, 2012 6:04:45 PM UTC+1, Matthew Dempsky wrote: > > On Tue, Oct 30, 2012 at 9:53 AM, Jose María Zaragoza > <[email protected]<javascript:> > > wrote: > >> public void print(String message) >> { >> widget.setHTML(message) >> } >> >> this.print("<br>This is an error</br>"); >> this.print("<br>This is another error</br>"); >> > > This code is fine. The risk comes from if you have something like > > this.print(user.getName()); > > and a user sets their name to "<script>alert(1)</script>". But if you > look at either the print() function implementation or any of the callers in > isolation, it's not clear that there's an issue. It's only if you look at > the whole application at once that you can realize there's an issue. > > This is also the motivation for GWT's SafeHtml libraries. When used > correctly, it makes it easier to security review GWT code without needing > to double check whether any given function treats its string arguments as > plain text or HTML. >
Not sure <script>alert(1)</script> would be "at risk" here, as browsers generally (I said *generally*, I'm sure there are exceptions, IE maybe?) don't execute <script>s on assigning innerHTML; but there are things like onclick="alert(1)", <img src="http://vilain";>, <img src="neverland" onerror="alert(1)">, <iframe style="position:absolute;top:0;left:0;bottom:0;right:0;" src="http://vilain";></iframe>, etc. SafeHtml and SafeStyles solve the "primitive obsession" anti-pattern: http://c2.com/cgi/wiki?NoStrings -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/S--9PXzMLPcJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
