Re: Preventing user input script-injection attacks
Igor I was unaware of the class org.apache.wicket.util.string.Strings, let alone that package. The Strings.escapeMarkup(...) method you mentioned fits my needs exactly. Thank you. Michał -- Thank you also for your tip. I shall be using the Wicket method that Igor mentioned. I shall also be having a play with that package to see what else is there! Regards, Ian -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3064004.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing user input script-injection attacks
yes, we only escape on the output. escaping the input itself makes little sense. if you want to escape the input before you store it use Strings.escapeMarkup() util method. -igor On Fri, Nov 26, 2010 at 6:34 AM, Ian Marshall wrote: > > Hello Igor, > > I remain an Ant person for now and not a Maven person, so instead of a > quickstart project I attach HTML and Java code for a Wicket test page: > > > http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.html > PageSpecificTest.html > > http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.java > PageSpecificTest.java > > I commented out the log output in case you use a different log output method > to me. > > This web page accepts input in a TextField and TextArea component, > and after form submission it renders this input in both the original > components and also as copied to a Label and TextArea component > respectively. > > My results are that Wicket does indeed escape the mark-up in rendered > components automatically. However, the strings stored in the components' > models are not escaped. > > To save you running the attached Wicket web page, I set out my > post-submission results below. Firstly is some log output from the component > models, and then the page source of the four components mentioned above: > > > 26-Nov-2010 13:43:14 [...].PageSpecificTest doSubmit > FINE: g_pstdData data member values are: > sSingleLineInput = "" > sMultiLineInput = " View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3060397.html > Sent from the Users forum mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing user input script-injection attacks
Hello Igor, I remain an Ant person for now and not a Maven person, so instead of a quickstart project I attach HTML and Java code for a Wicket test page: http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.html PageSpecificTest.html http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.java PageSpecificTest.java I commented out the log output in case you use a different log output method to me. This web page accepts input in a TextField and TextArea component, and after form submission it renders this input in both the original components and also as copied to a Label and TextArea component respectively. My results are that Wicket does indeed escape the mark-up in rendered components automatically. However, the strings stored in the components' models are not escaped. To save you running the attached Wicket web page, I set out my post-submission results below. Firstly is some log output from the component models, and then the page source of the four components mentioned above: 26-Nov-2010 13:43:14 [...].PageSpecificTest doSubmit FINE: g_pstdData data member values are: sSingleLineInput = "" sMultiLineInput = "
Re: Preventing user input script-injection attacks
You can also try to use: http://nekohtml.sourceforge.net/ W dniu 2010-11-25 18:39, Ian Marshall pisze: Thanks for that, Patrick. I'll take a look at these tomorrow to see what they have got. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing user input script-injection attacks
wicket should already escape the markup for you. please provide a quickstart where it is not doing it. -igor On Thu, Nov 25, 2010 at 7:15 AM, Ian Marshall wrote: > > If a user has entered some HTML in a TextField or TextArea when I do > not want HTML to be entered, what is a good way to prevent this? > > Currently, I store the offending strings and then render them using a Label > or MultiLineLabel, but for neither component does > > Component.setEscapeModelStrings(true); > > have an effect (presumably since this setting is already true by default). > > Am I condemned to coding a method to examine the models of my TextField and > TextArea components at form-submission-time and remove any HTML code > manually? > > Any comments would be appreciated, > > Ian > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html > Sent from the Users forum mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing user input script-injection attacks
Thanks for that, Patrick. I'll take a look at these tomorrow to see what they have got. -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059322.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing user input script-injection attacks
Sorry about that. By "I do not want HTML to be entered" I meant "character strings which are rendered by a browser additional to, or instead of, being displayed as that character string. Examples are:
Re: Preventing user input script-injection attacks
Am 2010-11-25 16:15, schrieb Ian Marshall: If a user has entered some HTML in a TextField or TextArea when I do not want HTML to be entered, what is a good way to prevent this? In our project we are using OWASP Antisamy to prevent XSS attacks. It is easy to use, has a couple templates (slashdot, ebay,..) and works like a charm. http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project http://code.google.com/p/owaspantisamy/ Regards, Patrick - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing user input script-injection attacks
Hi! I think there are libraries that can provide you with scripting detection or escaping... However, "I do not want HTML to be entered" is quite vaque rule. Even plain alphabets are html. ** Martin 2010/11/25 Ian Marshall : > > If a user has entered some HTML in a TextField or TextArea when I do > not want HTML to be entered, what is a good way to prevent this? > > Currently, I store the offending strings and then render them using a Label > or MultiLineLabel, but for neither component does > > Component.setEscapeModelStrings(true); > > have an effect (presumably since this setting is already true by default). > > Am I condemned to coding a method to examine the models of my TextField and > TextArea components at form-submission-time and remove any HTML code > manually? > > Any comments would be appreciated, > > Ian > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html > Sent from the Users forum mailing list archive at Nabble.com. > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Preventing user input script-injection attacks
If a user has entered some HTML in a TextField or TextArea when I do not want HTML to be entered, what is a good way to prevent this? Currently, I store the offending strings and then render them using a Label or MultiLineLabel, but for neither component does Component.setEscapeModelStrings(true); have an effect (presumably since this setting is already true by default). Am I condemned to coding a method to examine the models of my TextField and TextArea components at form-submission-time and remove any HTML code manually? Any comments would be appreciated, Ian -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html Sent from the Users forum mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org