subject:"About XML Injection"

Re: About XML Injection

2020-04-10 Thread Shengche Hsiao

Yes, super thanks for detailed explanation

On Sat, Apr 11, 2020 at 11:19 AM Martin Terra <
martin.te...@koodaripalvelut.com> wrote:

> la 11. huhtik. 2020 klo 5.58 Shengche Hsiao (shengchehs...@gmail.com)
> kirjoitti:
>
> > Thanks Martin, I might misunderstand the report, and  I'll validate the
> > submitted values to prevent xml injection.
> >
>
> You're welcome. To clarify: validation can prevent any malicious effects of
> injected values, but it cannot prevent the injection itself. Therefore,
> validation could cure the issue found in the report. This should
> ofcourse be verified by reproducing the issue before fix and confirming
> that applying the fix successfully mitigates the issue.
>
> **
> Martin
>
>
> > On Thu, Apr 9, 2020 at 8:07 PM Martin Grigorov 
> > wrote:
> >
> > > I still do not understand what exactly is the issue here.
> > >
> > > The client/browser submits the values as key/value pairs
> > > (application/x-www-form-urlencoded).
> > > The server responds with XML that is processed by wicket-ajax.js.
> > > How validation of the submit values could help with the XML injection
> ?!
> > >
> > >
> > > On Thu, Apr 9, 2020 at 2:52 PM Shengche Hsiao  >
> > > wrote:
> > >
> > > > Thank you, I'll do that and see if works
> > > >
> > > > On Thu, Apr 9, 2020 at 6:35 PM Martin Terra <
> > > > martin.te...@koodaripalvelut.com> wrote:
> > > >
> > > > > Can you solve this by simple validation if submitted values are
> > legal?
> > > > This
> > > > > way it does not matter if client tries to override the submit.
> > > > >
> > > > > **
> > > > > Martin
> > > > >
> > > > > to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (
> shengchehs...@gmail.com
> > )
> > > > > kirjoitti:
> > > > >
> > > > > > I got a report , it suggest our web site to deal with xml
> injection
> > > > > issue.
> > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the
> > reporters
> > > > > > used Burpsuite
> > > > > > to inject xml on xmlpayload, such as inject 
> > > > > >
> > > > > >
> > > > > >  image.png
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web
> > > > > > >
> > > > > >
> > > > > >
> > > > > > and resulted in some abnormal response
> > > > > >
> > > > > >
> > > > > >  image.png
> > > > > > <
> > > > > >
> > > > >
> > > >
> > >
> >
> https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web
> > > > > > >
> > > > > >
> > > > > >
> > > > > > As a result, I have to prevent the xml injection, do I check the
> > > entire
> > > > > > payload or only check there value we need ?
> > > > > >
> > > > > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov <
> > mgrigo...@apache.org
> > > >
> > > > > > wrote:
> > > > > >
> > > > > > > The images didn't make it to the mailing list.
> > > > > > > Please use some online image paste bin.
> > > > > > >
> > > > > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <
> > > > > shengchehs...@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I got a report , it suggest our web site to deal with xml
> > > injection
> > > > > > > issue.
> > > > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke
> > another
> > > > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the
> > > > reporters
> > > > > > > used
> > > > > > > >  Burpsuite to inject xml on xmlpayload, such as inject 
> > > > > > > >
> > > > > > > > [image: image.png]
> > > > > > > >
> > > > > > > > and resulted in some abnormal response
> > > > > > > >
> > > > > > > > [image: image.png]
> > > > > > > >
> > > > > > > > As a result, I have to prevent the xml injection, do I check
> > the
> > > > > entire
> > > > > > > > payload or only check there value we need ?
> > > > > > > >
> > > > > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <
> > > > mgrigo...@apache.org
> > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <
> > > > > > shengchehs...@gmail.com
> > > > > > > >
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >> > Yes, I need to know overriding which methods
> > > > > > > >> >
> > > > > > > >>
> > > > > > > >> I still do not understand what exactly you need to
> accomplish.
> > > > > > > >> Please be more specific!
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> >
> > > > > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <
> > > > > mgrigo...@apache.org>
> > > > > > > >> wrote:
> > > > > > > >> >
> > > > > > > >> > > Hi,
> > > > > > > >> > >
> > > > > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <
> > > > > > front...@gmail.com>
> > > > > > > >> > wrote:
> > > > > > > >> > >
> > > > > > > >> > > > Dear all
> > > > > > > >> > > >
> > > > > > > >> > > > I use built-in ajax dropdownchoice component, it's
> > default
> > > > > > payload
> > > > > > > >> is
> > > > > > > >> > xml
> > > > > > > >> > > >

Re: About XML Injection

2020-04-10 Thread Martin Terra

la 11. huhtik. 2020 klo 5.58 Shengche Hsiao (shengchehs...@gmail.com)
kirjoitti:

> Thanks Martin, I might misunderstand the report, and  I'll validate the
> submitted values to prevent xml injection.
>

You're welcome. To clarify: validation can prevent any malicious effects of
injected values, but it cannot prevent the injection itself. Therefore,
validation could cure the issue found in the report. This should
ofcourse be verified by reproducing the issue before fix and confirming
that applying the fix successfully mitigates the issue.

**
Martin


> On Thu, Apr 9, 2020 at 8:07 PM Martin Grigorov 
> wrote:
>
> > I still do not understand what exactly is the issue here.
> >
> > The client/browser submits the values as key/value pairs
> > (application/x-www-form-urlencoded).
> > The server responds with XML that is processed by wicket-ajax.js.
> > How validation of the submit values could help with the XML injection ?!
> >
> >
> > On Thu, Apr 9, 2020 at 2:52 PM Shengche Hsiao 
> > wrote:
> >
> > > Thank you, I'll do that and see if works
> > >
> > > On Thu, Apr 9, 2020 at 6:35 PM Martin Terra <
> > > martin.te...@koodaripalvelut.com> wrote:
> > >
> > > > Can you solve this by simple validation if submitted values are
> legal?
> > > This
> > > > way it does not matter if client tries to override the submit.
> > > >
> > > > **
> > > > Martin
> > > >
> > > > to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (shengchehs...@gmail.com
> )
> > > > kirjoitti:
> > > >
> > > > > I got a report , it suggest our web site to deal with xml injection
> > > > issue.
> > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the
> reporters
> > > > > used Burpsuite
> > > > > to inject xml on xmlpayload, such as inject 
> > > > >
> > > > >
> > > > >  image.png
> > > > > <
> > > > >
> > > >
> > >
> >
> https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web
> > > > > >
> > > > >
> > > > >
> > > > > and resulted in some abnormal response
> > > > >
> > > > >
> > > > >  image.png
> > > > > <
> > > > >
> > > >
> > >
> >
> https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web
> > > > > >
> > > > >
> > > > >
> > > > > As a result, I have to prevent the xml injection, do I check the
> > entire
> > > > > payload or only check there value we need ?
> > > > >
> > > > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov <
> mgrigo...@apache.org
> > >
> > > > > wrote:
> > > > >
> > > > > > The images didn't make it to the mailing list.
> > > > > > Please use some online image paste bin.
> > > > > >
> > > > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <
> > > > shengchehs...@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > I got a report , it suggest our web site to deal with xml
> > injection
> > > > > > issue.
> > > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke
> another
> > > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the
> > > reporters
> > > > > > used
> > > > > > >  Burpsuite to inject xml on xmlpayload, such as inject 
> > > > > > >
> > > > > > > [image: image.png]
> > > > > > >
> > > > > > > and resulted in some abnormal response
> > > > > > >
> > > > > > > [image: image.png]
> > > > > > >
> > > > > > > As a result, I have to prevent the xml injection, do I check
> the
> > > > entire
> > > > > > > payload or only check there value we need ?
> > > > > > >
> > > > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <
> > > mgrigo...@apache.org
> > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <
> > > > > shengchehs...@gmail.com
> > > > > > >
> > > > > > >> wrote:
> > > > > > >>
> > > > > > >> > Yes, I need to know overriding which methods
> > > > > > >> >
> > > > > > >>
> > > > > > >> I still do not understand what exactly you need to accomplish.
> > > > > > >> Please be more specific!
> > > > > > >>
> > > > > > >>
> > > > > > >> >
> > > > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <
> > > > mgrigo...@apache.org>
> > > > > > >> wrote:
> > > > > > >> >
> > > > > > >> > > Hi,
> > > > > > >> > >
> > > > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <
> > > > > front...@gmail.com>
> > > > > > >> > wrote:
> > > > > > >> > >
> > > > > > >> > > > Dear all
> > > > > > >> > > >
> > > > > > >> > > > I use built-in ajax dropdownchoice component, it's
> default
> > > > > payload
> > > > > > >> is
> > > > > > >> > xml
> > > > > > >> > > > entity, but if I need to prevent xml injection ,how can
> i
> > > do?
> > > > > > >> > > >
> > > > > > >> > >
> > > > > > >> > > Could you please give some more information what exactly
> you
> > > > need?
> > > > > > >> > >
> > > > > > >> > >
> > > > > > >> > > >
> > > > > > >> > > >
> > > > > > >> > > >
> > > > > >
> > 
> > > > > > >> > > > --->

Re: About XML Injection

2020-04-10 Thread Shengche Hsiao

Thanks Martin, I might misunderstand the report, and  I'll validate the
submitted values to prevent xml injection.

On Thu, Apr 9, 2020 at 8:07 PM Martin Grigorov  wrote:

> I still do not understand what exactly is the issue here.
>
> The client/browser submits the values as key/value pairs
> (application/x-www-form-urlencoded).
> The server responds with XML that is processed by wicket-ajax.js.
> How validation of the submit values could help with the XML injection ?!
>
>
> On Thu, Apr 9, 2020 at 2:52 PM Shengche Hsiao 
> wrote:
>
> > Thank you, I'll do that and see if works
> >
> > On Thu, Apr 9, 2020 at 6:35 PM Martin Terra <
> > martin.te...@koodaripalvelut.com> wrote:
> >
> > > Can you solve this by simple validation if submitted values are legal?
> > This
> > > way it does not matter if client tries to override the submit.
> > >
> > > **
> > > Martin
> > >
> > > to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (shengchehs...@gmail.com)
> > > kirjoitti:
> > >
> > > > I got a report , it suggest our web site to deal with xml injection
> > > issue.
> > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
> > > > used Burpsuite
> > > > to inject xml on xmlpayload, such as inject 
> > > >
> > > >
> > > >  image.png
> > > > <
> > > >
> > >
> >
> https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web
> > > > >
> > > >
> > > >
> > > > and resulted in some abnormal response
> > > >
> > > >
> > > >  image.png
> > > > <
> > > >
> > >
> >
> https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web
> > > > >
> > > >
> > > >
> > > > As a result, I have to prevent the xml injection, do I check the
> entire
> > > > payload or only check there value we need ?
> > > >
> > > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov  >
> > > > wrote:
> > > >
> > > > > The images didn't make it to the mailing list.
> > > > > Please use some online image paste bin.
> > > > >
> > > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <
> > > shengchehs...@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > I got a report , it suggest our web site to deal with xml
> injection
> > > > > issue.
> > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the
> > reporters
> > > > > used
> > > > > >  Burpsuite to inject xml on xmlpayload, such as inject 
> > > > > >
> > > > > > [image: image.png]
> > > > > >
> > > > > > and resulted in some abnormal response
> > > > > >
> > > > > > [image: image.png]
> > > > > >
> > > > > > As a result, I have to prevent the xml injection, do I check the
> > > entire
> > > > > > payload or only check there value we need ?
> > > > > >
> > > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <
> > mgrigo...@apache.org
> > > >
> > > > > > wrote:
> > > > > >
> > > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <
> > > > shengchehs...@gmail.com
> > > > > >
> > > > > >> wrote:
> > > > > >>
> > > > > >> > Yes, I need to know overriding which methods
> > > > > >> >
> > > > > >>
> > > > > >> I still do not understand what exactly you need to accomplish.
> > > > > >> Please be more specific!
> > > > > >>
> > > > > >>
> > > > > >> >
> > > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <
> > > mgrigo...@apache.org>
> > > > > >> wrote:
> > > > > >> >
> > > > > >> > > Hi,
> > > > > >> > >
> > > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <
> > > > front...@gmail.com>
> > > > > >> > wrote:
> > > > > >> > >
> > > > > >> > > > Dear all
> > > > > >> > > >
> > > > > >> > > > I use built-in ajax dropdownchoice component, it's default
> > > > payload
> > > > > >> is
> > > > > >> > xml
> > > > > >> > > > entity, but if I need to prevent xml injection ,how can i
> > do?
> > > > > >> > > >
> > > > > >> > >
> > > > > >> > > Could you please give some more information what exactly you
> > > need?
> > > > > >> > >
> > > > > >> > >
> > > > > >> > > >
> > > > > >> > > >
> > > > > >> > > >
> > > > >
> 
> > > > > >> > > > --->
> > > > > >> > > > To boldly go where no man has gone before.
> > > > > >> > > >
> > > > >
> 
> > > > > >> > > > --->
> > > > > >> > > > We do this not because it is easy. We do this because it
> is
> > > > hard.
> > > > > >> > > >
> > > > -
> > > > > >> > > > -->
> > > > > >> > > > If I have seen further it is by standing on the shoulders
> of
> > > > > giants.
> > > > > >> > > > --
> > > > > >> > > > ->
> > > > > >> > > > front...@gmail.com
> > > > > >> > > >
>

Re: About XML Injection

2020-04-09 Thread Martin Terra

So long as you are able to reproduce the issue and evaluate if you can
confirm the fix, it should be ok. You can then finetune the solution.

**
Martin

to 9. huhtik. 2020 klo 15.07 Martin Grigorov (mgrigo...@apache.org)
kirjoitti:

> I still do not understand what exactly is the issue here.
>
> The client/browser submits the values as key/value pairs
> (application/x-www-form-urlencoded).
> The server responds with XML that is processed by wicket-ajax.js.
> How validation of the submit values could help with the XML injection ?!
>
>
> On Thu, Apr 9, 2020 at 2:52 PM Shengche Hsiao 
> wrote:
>
> > Thank you, I'll do that and see if works
> >
> > On Thu, Apr 9, 2020 at 6:35 PM Martin Terra <
> > martin.te...@koodaripalvelut.com> wrote:
> >
> > > Can you solve this by simple validation if submitted values are legal?
> > This
> > > way it does not matter if client tries to override the submit.
> > >
> > > **
> > > Martin
> > >
> > > to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (shengchehs...@gmail.com)
> > > kirjoitti:
> > >
> > > > I got a report , it suggest our web site to deal with xml injection
> > > issue.
> > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
> > > > used Burpsuite
> > > > to inject xml on xmlpayload, such as inject 
> > > >
> > > >
> > > >  image.png
> > > > <
> > > >
> > >
> >
> https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web
> > > > >
> > > >
> > > >
> > > > and resulted in some abnormal response
> > > >
> > > >
> > > >  image.png
> > > > <
> > > >
> > >
> >
> https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web
> > > > >
> > > >
> > > >
> > > > As a result, I have to prevent the xml injection, do I check the
> entire
> > > > payload or only check there value we need ?
> > > >
> > > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov  >
> > > > wrote:
> > > >
> > > > > The images didn't make it to the mailing list.
> > > > > Please use some online image paste bin.
> > > > >
> > > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <
> > > shengchehs...@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > I got a report , it suggest our web site to deal with xml
> injection
> > > > > issue.
> > > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the
> > reporters
> > > > > used
> > > > > >  Burpsuite to inject xml on xmlpayload, such as inject 
> > > > > >
> > > > > > [image: image.png]
> > > > > >
> > > > > > and resulted in some abnormal response
> > > > > >
> > > > > > [image: image.png]
> > > > > >
> > > > > > As a result, I have to prevent the xml injection, do I check the
> > > entire
> > > > > > payload or only check there value we need ?
> > > > > >
> > > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <
> > mgrigo...@apache.org
> > > >
> > > > > > wrote:
> > > > > >
> > > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <
> > > > shengchehs...@gmail.com
> > > > > >
> > > > > >> wrote:
> > > > > >>
> > > > > >> > Yes, I need to know overriding which methods
> > > > > >> >
> > > > > >>
> > > > > >> I still do not understand what exactly you need to accomplish.
> > > > > >> Please be more specific!
> > > > > >>
> > > > > >>
> > > > > >> >
> > > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <
> > > mgrigo...@apache.org>
> > > > > >> wrote:
> > > > > >> >
> > > > > >> > > Hi,
> > > > > >> > >
> > > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <
> > > > front...@gmail.com>
> > > > > >> > wrote:
> > > > > >> > >
> > > > > >> > > > Dear all
> > > > > >> > > >
> > > > > >> > > > I use built-in ajax dropdownchoice component, it's default
> > > > payload
> > > > > >> is
> > > > > >> > xml
> > > > > >> > > > entity, but if I need to prevent xml injection ,how can i
> > do?
> > > > > >> > > >
> > > > > >> > >
> > > > > >> > > Could you please give some more information what exactly you
> > > need?
> > > > > >> > >
> > > > > >> > >
> > > > > >> > > >
> > > > > >> > > >
> > > > > >> > > >
> > > > >
> 
> > > > > >> > > > --->
> > > > > >> > > > To boldly go where no man has gone before.
> > > > > >> > > >
> > > > >
> 
> > > > > >> > > > --->
> > > > > >> > > > We do this not because it is easy. We do this because it
> is
> > > > hard.
> > > > > >> > > >
> > > > -
> > > > > >> > > > -->
> > > > > >> > > > If I have seen further it is by standing on the shoulders
> of
> > > > > giants.
> > > > > >> > > > --
> > > > > >> > > >

Re: About XML Injection

2020-04-09 Thread Martin Grigorov

I still do not understand what exactly is the issue here.

The client/browser submits the values as key/value pairs
(application/x-www-form-urlencoded).
The server responds with XML that is processed by wicket-ajax.js.
How validation of the submit values could help with the XML injection ?!


On Thu, Apr 9, 2020 at 2:52 PM Shengche Hsiao 
wrote:

> Thank you, I'll do that and see if works
>
> On Thu, Apr 9, 2020 at 6:35 PM Martin Terra <
> martin.te...@koodaripalvelut.com> wrote:
>
> > Can you solve this by simple validation if submitted values are legal?
> This
> > way it does not matter if client tries to override the submit.
> >
> > **
> > Martin
> >
> > to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (shengchehs...@gmail.com)
> > kirjoitti:
> >
> > > I got a report , it suggest our web site to deal with xml injection
> > issue.
> > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
> > > used Burpsuite
> > > to inject xml on xmlpayload, such as inject 
> > >
> > >
> > >  image.png
> > > <
> > >
> >
> https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web
> > > >
> > >
> > >
> > > and resulted in some abnormal response
> > >
> > >
> > >  image.png
> > > <
> > >
> >
> https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web
> > > >
> > >
> > >
> > > As a result, I have to prevent the xml injection, do I check the entire
> > > payload or only check there value we need ?
> > >
> > > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov 
> > > wrote:
> > >
> > > > The images didn't make it to the mailing list.
> > > > Please use some online image paste bin.
> > > >
> > > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <
> > shengchehs...@gmail.com>
> > > > wrote:
> > > >
> > > > > I got a report , it suggest our web site to deal with xml injection
> > > > issue.
> > > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > > DropDownChoice via wicket-ajax buit-in xml payload, and the
> reporters
> > > > used
> > > > >  Burpsuite to inject xml on xmlpayload, such as inject 
> > > > >
> > > > > [image: image.png]
> > > > >
> > > > > and resulted in some abnormal response
> > > > >
> > > > > [image: image.png]
> > > > >
> > > > > As a result, I have to prevent the xml injection, do I check the
> > entire
> > > > > payload or only check there value we need ?
> > > > >
> > > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <
> mgrigo...@apache.org
> > >
> > > > > wrote:
> > > > >
> > > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <
> > > shengchehs...@gmail.com
> > > > >
> > > > >> wrote:
> > > > >>
> > > > >> > Yes, I need to know overriding which methods
> > > > >> >
> > > > >>
> > > > >> I still do not understand what exactly you need to accomplish.
> > > > >> Please be more specific!
> > > > >>
> > > > >>
> > > > >> >
> > > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <
> > mgrigo...@apache.org>
> > > > >> wrote:
> > > > >> >
> > > > >> > > Hi,
> > > > >> > >
> > > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <
> > > front...@gmail.com>
> > > > >> > wrote:
> > > > >> > >
> > > > >> > > > Dear all
> > > > >> > > >
> > > > >> > > > I use built-in ajax dropdownchoice component, it's default
> > > payload
> > > > >> is
> > > > >> > xml
> > > > >> > > > entity, but if I need to prevent xml injection ,how can i
> do?
> > > > >> > > >
> > > > >> > >
> > > > >> > > Could you please give some more information what exactly you
> > need?
> > > > >> > >
> > > > >> > >
> > > > >> > > >
> > > > >> > > >
> > > > >> > > >
> > > > 
> > > > >> > > > --->
> > > > >> > > > To boldly go where no man has gone before.
> > > > >> > > >
> > > > 
> > > > >> > > > --->
> > > > >> > > > We do this not because it is easy. We do this because it is
> > > hard.
> > > > >> > > >
> > > -
> > > > >> > > > -->
> > > > >> > > > If I have seen further it is by standing on the shoulders of
> > > > giants.
> > > > >> > > > --
> > > > >> > > > ->
> > > > >> > > > front...@gmail.com
> > > > >> > > >
> > > > >> > > >
> > > > >> > >
> > > > >> >
> > > > >>
> > > >
> > >
> >
> ->
> > > > >> > > >
> > > > >> > >
> > > > >> > --
> > > > >> >
> > > > >> >
> > > >
> > --->
> > > > >> > We do this not because it is easy. We do this because it is
> hard.
> > > > >> >
> > > >
> >

Re: About XML Injection

2020-04-09 Thread Shengche Hsiao

Thank you, I'll do that and see if works

On Thu, Apr 9, 2020 at 6:35 PM Martin Terra <
martin.te...@koodaripalvelut.com> wrote:

> Can you solve this by simple validation if submitted values are legal? This
> way it does not matter if client tries to override the submit.
>
> **
> Martin
>
> to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (shengchehs...@gmail.com)
> kirjoitti:
>
> > I got a report , it suggest our web site to deal with xml injection
> issue.
> > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
> > used Burpsuite
> > to inject xml on xmlpayload, such as inject 
> >
> >
> >  image.png
> > <
> >
> https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web
> > >
> >
> >
> > and resulted in some abnormal response
> >
> >
> >  image.png
> > <
> >
> https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web
> > >
> >
> >
> > As a result, I have to prevent the xml injection, do I check the entire
> > payload or only check there value we need ?
> >
> > On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov 
> > wrote:
> >
> > > The images didn't make it to the mailing list.
> > > Please use some online image paste bin.
> > >
> > > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <
> shengchehs...@gmail.com>
> > > wrote:
> > >
> > > > I got a report , it suggest our web site to deal with xml injection
> > > issue.
> > > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
> > > used
> > > >  Burpsuite to inject xml on xmlpayload, such as inject 
> > > >
> > > > [image: image.png]
> > > >
> > > > and resulted in some abnormal response
> > > >
> > > > [image: image.png]
> > > >
> > > > As a result, I have to prevent the xml injection, do I check the
> entire
> > > > payload or only check there value we need ?
> > > >
> > > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov  >
> > > > wrote:
> > > >
> > > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <
> > shengchehs...@gmail.com
> > > >
> > > >> wrote:
> > > >>
> > > >> > Yes, I need to know overriding which methods
> > > >> >
> > > >>
> > > >> I still do not understand what exactly you need to accomplish.
> > > >> Please be more specific!
> > > >>
> > > >>
> > > >> >
> > > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <
> mgrigo...@apache.org>
> > > >> wrote:
> > > >> >
> > > >> > > Hi,
> > > >> > >
> > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <
> > front...@gmail.com>
> > > >> > wrote:
> > > >> > >
> > > >> > > > Dear all
> > > >> > > >
> > > >> > > > I use built-in ajax dropdownchoice component, it's default
> > payload
> > > >> is
> > > >> > xml
> > > >> > > > entity, but if I need to prevent xml injection ,how can i do?
> > > >> > > >
> > > >> > >
> > > >> > > Could you please give some more information what exactly you
> need?
> > > >> > >
> > > >> > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > 
> > > >> > > > --->
> > > >> > > > To boldly go where no man has gone before.
> > > >> > > >
> > > 
> > > >> > > > --->
> > > >> > > > We do this not because it is easy. We do this because it is
> > hard.
> > > >> > > >
> > -
> > > >> > > > -->
> > > >> > > > If I have seen further it is by standing on the shoulders of
> > > giants.
> > > >> > > > --
> > > >> > > > ->
> > > >> > > > front...@gmail.com
> > > >> > > >
> > > >> > > >
> > > >> > >
> > > >> >
> > > >>
> > >
> >
> ->
> > > >> > > >
> > > >> > >
> > > >> > --
> > > >> >
> > > >> >
> > >
> --->
> > > >> > We do this not because it is easy. We do this because it is hard.
> > > >> >
> > >
> --->
> > > >> > ShengChe Hsiao
> > > >> >
> > >
> --->
> > > >> > front...@gmail.com
> > > >> > front...@tc.edu.tw
> > > >> >
> > >
> --->
> > > >> > VoIP : 070-910-2450
> > > >> >
> > >
> --->
> > > >> >
> > > >>
> > > >
> > > >
> > > > --
> > > >
> > > >
> > --->
> > > > We do this not because it is easy. We do this because it is hard.
> > > >
> >

Re: About XML Injection

2020-04-09 Thread Martin Terra

Can you solve this by simple validation if submitted values are legal? This
way it does not matter if client tries to override the submit.

**
Martin

to 9. huhtik. 2020 klo 12.22 Shengche Hsiao (shengchehs...@gmail.com)
kirjoitti:

> I got a report , it suggest our web site to deal with xml injection issue.
> We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
> used Burpsuite
> to inject xml on xmlpayload, such as inject 
>
>
>  image.png
> <
> https://drive.google.com/file/d/1U9nls1Z7tfs_zqEvbLLYsef89BFMopeY/view?usp=drive_web
> >
>
>
> and resulted in some abnormal response
>
>
>  image.png
> <
> https://drive.google.com/file/d/1RcAegoREfmkdPNm1DCw9ouUyfI20lh7K/view?usp=drive_web
> >
>
>
> As a result, I have to prevent the xml injection, do I check the entire
> payload or only check there value we need ?
>
> On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov 
> wrote:
>
> > The images didn't make it to the mailing list.
> > Please use some online image paste bin.
> >
> > On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao 
> > wrote:
> >
> > > I got a report , it suggest our web site to deal with xml injection
> > issue.
> > > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
> > used
> > >  Burpsuite to inject xml on xmlpayload, such as inject 
> > >
> > > [image: image.png]
> > >
> > > and resulted in some abnormal response
> > >
> > > [image: image.png]
> > >
> > > As a result, I have to prevent the xml injection, do I check the entire
> > > payload or only check there value we need ?
> > >
> > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov 
> > > wrote:
> > >
> > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <
> shengchehs...@gmail.com
> > >
> > >> wrote:
> > >>
> > >> > Yes, I need to know overriding which methods
> > >> >
> > >>
> > >> I still do not understand what exactly you need to accomplish.
> > >> Please be more specific!
> > >>
> > >>
> > >> >
> > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov 
> > >> wrote:
> > >> >
> > >> > > Hi,
> > >> > >
> > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <
> front...@gmail.com>
> > >> > wrote:
> > >> > >
> > >> > > > Dear all
> > >> > > >
> > >> > > > I use built-in ajax dropdownchoice component, it's default
> payload
> > >> is
> > >> > xml
> > >> > > > entity, but if I need to prevent xml injection ,how can i do?
> > >> > > >
> > >> > >
> > >> > > Could you please give some more information what exactly you need?
> > >> > >
> > >> > >
> > >> > > >
> > >> > > >
> > >> > > >
> > 
> > >> > > > --->
> > >> > > > To boldly go where no man has gone before.
> > >> > > >
> > 
> > >> > > > --->
> > >> > > > We do this not because it is easy. We do this because it is
> hard.
> > >> > > >
> -
> > >> > > > -->
> > >> > > > If I have seen further it is by standing on the shoulders of
> > giants.
> > >> > > > --
> > >> > > > ->
> > >> > > > front...@gmail.com
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> ->
> > >> > > >
> > >> > >
> > >> > --
> > >> >
> > >> >
> > --->
> > >> > We do this not because it is easy. We do this because it is hard.
> > >> >
> > --->
> > >> > ShengChe Hsiao
> > >> >
> > --->
> > >> > front...@gmail.com
> > >> > front...@tc.edu.tw
> > >> >
> > --->
> > >> > VoIP : 070-910-2450
> > >> >
> > --->
> > >> >
> > >>
> > >
> > >
> > > --
> > >
> > >
> --->
> > > We do this not because it is easy. We do this because it is hard.
> > >
> --->
> > > ShengChe Hsiao
> > >
> --->
> > > front...@gmail.com
> > > front...@tc.edu.tw
> > >
> --->
> > > VoIP : 070-910-2450
> > >
> --->
> > >
> >
>
>
> --
>
> --->
> We do this not because it is

Re: About XML Injection

2020-04-09 Thread Shengche Hsiao

I got a report , it suggest our web site to deal with xml injection issue.
We use DropDownChoice with OnChangeAjaxBehavior to invoke another
DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
used Burpsuite
to inject xml on xmlpayload, such as inject 


 image.png



and resulted in some abnormal response


 image.png



As a result, I have to prevent the xml injection, do I check the entire
payload or only check there value we need ?

On Thu, Apr 9, 2020 at 4:57 PM Martin Grigorov  wrote:

> The images didn't make it to the mailing list.
> Please use some online image paste bin.
>
> On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao 
> wrote:
>
> > I got a report , it suggest our web site to deal with xml injection
> issue.
> > We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
> used
> >  Burpsuite to inject xml on xmlpayload, such as inject 
> >
> > [image: image.png]
> >
> > and resulted in some abnormal response
> >
> > [image: image.png]
> >
> > As a result, I have to prevent the xml injection, do I check the entire
> > payload or only check there value we need ?
> >
> > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov 
> > wrote:
> >
> >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao  >
> >> wrote:
> >>
> >> > Yes, I need to know overriding which methods
> >> >
> >>
> >> I still do not understand what exactly you need to accomplish.
> >> Please be more specific!
> >>
> >>
> >> >
> >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov 
> >> wrote:
> >> >
> >> > > Hi,
> >> > >
> >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao 
> >> > wrote:
> >> > >
> >> > > > Dear all
> >> > > >
> >> > > > I use built-in ajax dropdownchoice component, it's default payload
> >> is
> >> > xml
> >> > > > entity, but if I need to prevent xml injection ,how can i do?
> >> > > >
> >> > >
> >> > > Could you please give some more information what exactly you need?
> >> > >
> >> > >
> >> > > >
> >> > > >
> >> > > >
> 
> >> > > > --->
> >> > > > To boldly go where no man has gone before.
> >> > > >
> 
> >> > > > --->
> >> > > > We do this not because it is easy. We do this because it is hard.
> >> > > > -
> >> > > > -->
> >> > > > If I have seen further it is by standing on the shoulders of
> giants.
> >> > > > --
> >> > > > ->
> >> > > > front...@gmail.com
> >> > > >
> >> > > >
> >> > >
> >> >
> >>
> ->
> >> > > >
> >> > >
> >> > --
> >> >
> >> >
> --->
> >> > We do this not because it is easy. We do this because it is hard.
> >> >
> --->
> >> > ShengChe Hsiao
> >> >
> --->
> >> > front...@gmail.com
> >> > front...@tc.edu.tw
> >> >
> --->
> >> > VoIP : 070-910-2450
> >> >
> --->
> >> >
> >>
> >
> >
> > --
> >
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > --->
> > ShengChe Hsiao
> > --->
> > front...@gmail.com
> > front...@tc.edu.tw
> > --->
> > VoIP : 070-910-2450
> > --->
> >
>


-- 

--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->

Re: About XML Injection

2020-04-09 Thread Martin Grigorov

The images didn't make it to the mailing list.
Please use some online image paste bin.

On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao 
wrote:

> I got a report , it suggest our web site to deal with xml injection issue.
> We use DropDownChoice with OnChangeAjaxBehavior to invoke another
> DropDownChoice via wicket-ajax buit-in xml payload, and the reporters used
>  Burpsuite to inject xml on xmlpayload, such as inject 
>
> [image: image.png]
>
> and resulted in some abnormal response
>
> [image: image.png]
>
> As a result, I have to prevent the xml injection, do I check the entire
> payload or only check there value we need ?
>
> On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov 
> wrote:
>
>> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao 
>> wrote:
>>
>> > Yes, I need to know overriding which methods
>> >
>>
>> I still do not understand what exactly you need to accomplish.
>> Please be more specific!
>>
>>
>> >
>> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov 
>> wrote:
>> >
>> > > Hi,
>> > >
>> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao 
>> > wrote:
>> > >
>> > > > Dear all
>> > > >
>> > > > I use built-in ajax dropdownchoice component, it's default payload
>> is
>> > xml
>> > > > entity, but if I need to prevent xml injection ,how can i do?
>> > > >
>> > >
>> > > Could you please give some more information what exactly you need?
>> > >
>> > >
>> > > >
>> > > >
>> > > > 
>> > > > --->
>> > > > To boldly go where no man has gone before.
>> > > > 
>> > > > --->
>> > > > We do this not because it is easy. We do this because it is hard.
>> > > > -
>> > > > -->
>> > > > If I have seen further it is by standing on the shoulders of giants.
>> > > > --
>> > > > ->
>> > > > front...@gmail.com
>> > > >
>> > > >
>> > >
>> >
>> ->
>> > > >
>> > >
>> > --
>> >
>> > --->
>> > We do this not because it is easy. We do this because it is hard.
>> > --->
>> > ShengChe Hsiao
>> > --->
>> > front...@gmail.com
>> > front...@tc.edu.tw
>> > --->
>> > VoIP : 070-910-2450
>> > --->
>> >
>>
>
>
> --
>
> --->
> We do this not because it is easy. We do this because it is hard.
> --->
> ShengChe Hsiao
> --->
> front...@gmail.com
> front...@tc.edu.tw
> --->
> VoIP : 070-910-2450
> --->
>

Re: About XML Injection

2020-04-09 Thread Shengche Hsiao

I got a report , it suggest our web site to deal with xml injection issue.
We use DropDownChoice with OnChangeAjaxBehavior to invoke another
DropDownChoice via wicket-ajax buit-in xml payload, and the reporters
used Burpsuite
to inject xml on xmlpayload, such as inject 

[image: image.png]

and resulted in some abnormal response

[image: image.png]

As a result, I have to prevent the xml injection, do I check the entire
payload or only check there value we need ?

On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov  wrote:

> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao 
> wrote:
>
> > Yes, I need to know overriding which methods
> >
>
> I still do not understand what exactly you need to accomplish.
> Please be more specific!
>
>
> >
> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov 
> wrote:
> >
> > > Hi,
> > >
> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao 
> > wrote:
> > >
> > > > Dear all
> > > >
> > > > I use built-in ajax dropdownchoice component, it's default payload is
> > xml
> > > > entity, but if I need to prevent xml injection ,how can i do?
> > > >
> > >
> > > Could you please give some more information what exactly you need?
> > >
> > >
> > > >
> > > >
> > > > 
> > > > --->
> > > > To boldly go where no man has gone before.
> > > > 
> > > > --->
> > > > We do this not because it is easy. We do this because it is hard.
> > > > -
> > > > -->
> > > > If I have seen further it is by standing on the shoulders of giants.
> > > > --
> > > > ->
> > > > front...@gmail.com
> > > >
> > > >
> > >
> >
> ->
> > > >
> > >
> > --
> >
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > --->
> > ShengChe Hsiao
> > --->
> > front...@gmail.com
> > front...@tc.edu.tw
> > --->
> > VoIP : 070-910-2450
> > --->
> >
>


-- 

--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->

Re: About XML Injection

2020-04-09 Thread Martin Grigorov

On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao 
wrote:

> Yes, I need to know overriding which methods
>

I still do not understand what exactly you need to accomplish.
Please be more specific!


>
> On Thu, Apr 9, 2020 at 16:03 Martin Grigorov  wrote:
>
> > Hi,
> >
> > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao 
> wrote:
> >
> > > Dear all
> > >
> > > I use built-in ajax dropdownchoice component, it's default payload is
> xml
> > > entity, but if I need to prevent xml injection ,how can i do?
> > >
> >
> > Could you please give some more information what exactly you need?
> >
> >
> > >
> > >
> > > 
> > > --->
> > > To boldly go where no man has gone before.
> > > 
> > > --->
> > > We do this not because it is easy. We do this because it is hard.
> > > -
> > > -->
> > > If I have seen further it is by standing on the shoulders of giants.
> > > --
> > > ->
> > > front...@gmail.com
> > >
> > >
> >
> ->
> > >
> >
> --
>
> --->
> We do this not because it is easy. We do this because it is hard.
> --->
> ShengChe Hsiao
> --->
> front...@gmail.com
> front...@tc.edu.tw
> --->
> VoIP : 070-910-2450
> --->
>

Re: About XML Injection

2020-04-09 Thread Shengche Hsiao

Yes, I need to know overriding which methods

On Thu, Apr 9, 2020 at 16:03 Martin Grigorov  wrote:

> Hi,
>
> On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao  wrote:
>
> > Dear all
> >
> > I use built-in ajax dropdownchoice component, it's default payload is xml
> > entity, but if I need to prevent xml injection ,how can i do?
> >
>
> Could you please give some more information what exactly you need?
>
>
> >
> >
> > 
> > --->
> > To boldly go where no man has gone before.
> > 
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > -
> > -->
> > If I have seen further it is by standing on the shoulders of giants.
> > --
> > ->
> > front...@gmail.com
> >
> >
> ->
> >
>
-- 

--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->

Re: About XML Injection

2020-04-09 Thread Shengche Hsiao

Thanks, I’ll figure it out

On Thu, Apr 9, 2020 at 16:03 Martin Grigorov  wrote:

> Hi,
>
> On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao  wrote:
>
> > Dear all
> >
> > I use built-in ajax dropdownchoice component, it's default payload is xml
> > entity, but if I need to prevent xml injection ,how can i do?
> >
>
> Could you please give some more information what exactly you need?
>
>
> >
> >
> > 
> > --->
> > To boldly go where no man has gone before.
> > 
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > -
> > -->
> > If I have seen further it is by standing on the shoulders of giants.
> > --
> > ->
> > front...@gmail.com
> >
> >
> ->
> >
>
-- 

--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->

Re: About XML Injection

2020-04-09 Thread Shengche Hsiao

Thanks

On Thu, Apr 9, 2020 at 15:57 Martin Terra 
wrote:

> I'd recommend you simply include it with maven options into your IDE this
> way it is always there with you.
>
> You can googe it, and there are some recent previous wicket threads about
> it too:
>
> http://apache-wicket.1842946.n4.nabble.com/Where-to-download-Javadoc-for-Wicket-8-x-td4683643.html#a4683654
>
> **
> Martin
>
> to 9. huhtik. 2020 klo 10.55 Shengche Hsiao (shengchehs...@gmail.com)
> kirjoitti:
>
> > I can checkout source from github, but I need some advise to start,
> thanks
> >
> > On Thu, Apr 9, 2020 at 3:36 PM Martin Terra <
> > martin.te...@koodaripalvelut.com> wrote:
> >
> > > You could override some of the methods that do the injecting. Do you
> have
> > > the wicket sources?
> > >
> > > **
> > > Martin
> > >
> > > to 9. huhtik. 2020 klo 10.27 ShengChe Hsiao (front...@gmail.com)
> > > kirjoitti:
> > >
> > > > Dear all
> > > >
> > > > I use built-in ajax dropdownchoice component, it's default payload is
> > xml
> > > > entity, but if I need to prevent xml injection ,how can i do?
> > > >
> > > >
> > > > 
> > > > --->
> > > > To boldly go where no man has gone before.
> > > > 
> > > > --->
> > > > We do this not because it is easy. We do this because it is hard.
> > > > -
> > > > -->
> > > > If I have seen further it is by standing on the shoulders of giants.
> > > > --
> > > > ->
> > > > front...@gmail.com
> > > >
> > > >
> > >
> >
> ->
> > > >
> > >
> >
> >
> > --
> >
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > --->
> > ShengChe Hsiao
> > --->
> > front...@gmail.com
> > front...@tc.edu.tw
> > --->
> > VoIP : 070-910-2450
> > --->
> >
>
-- 

--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->

Re: About XML Injection

2020-04-09 Thread Martin Grigorov

Hi,

On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao  wrote:

> Dear all
>
> I use built-in ajax dropdownchoice component, it's default payload is xml
> entity, but if I need to prevent xml injection ,how can i do?
>

Could you please give some more information what exactly you need?


>
>
> 
> --->
> To boldly go where no man has gone before.
> 
> --->
> We do this not because it is easy. We do this because it is hard.
> -
> -->
> If I have seen further it is by standing on the shoulders of giants.
> --
> ->
> front...@gmail.com
>
> ->
>

Re: About XML Injection

2020-04-09 Thread Martin Terra

I'd recommend you simply include it with maven options into your IDE this
way it is always there with you.

You can googe it, and there are some recent previous wicket threads about
it too:
http://apache-wicket.1842946.n4.nabble.com/Where-to-download-Javadoc-for-Wicket-8-x-td4683643.html#a4683654

**
Martin

to 9. huhtik. 2020 klo 10.55 Shengche Hsiao (shengchehs...@gmail.com)
kirjoitti:

> I can checkout source from github, but I need some advise to start, thanks
>
> On Thu, Apr 9, 2020 at 3:36 PM Martin Terra <
> martin.te...@koodaripalvelut.com> wrote:
>
> > You could override some of the methods that do the injecting. Do you have
> > the wicket sources?
> >
> > **
> > Martin
> >
> > to 9. huhtik. 2020 klo 10.27 ShengChe Hsiao (front...@gmail.com)
> > kirjoitti:
> >
> > > Dear all
> > >
> > > I use built-in ajax dropdownchoice component, it's default payload is
> xml
> > > entity, but if I need to prevent xml injection ,how can i do?
> > >
> > >
> > > 
> > > --->
> > > To boldly go where no man has gone before.
> > > 
> > > --->
> > > We do this not because it is easy. We do this because it is hard.
> > > -
> > > -->
> > > If I have seen further it is by standing on the shoulders of giants.
> > > --
> > > ->
> > > front...@gmail.com
> > >
> > >
> >
> ->
> > >
> >
>
>
> --
>
> --->
> We do this not because it is easy. We do this because it is hard.
> --->
> ShengChe Hsiao
> --->
> front...@gmail.com
> front...@tc.edu.tw
> --->
> VoIP : 070-910-2450
> --->
>

Re: About XML Injection

2020-04-09 Thread Shengche Hsiao

I can checkout source from github, but I need some advise to start, thanks

On Thu, Apr 9, 2020 at 3:36 PM Martin Terra <
martin.te...@koodaripalvelut.com> wrote:

> You could override some of the methods that do the injecting. Do you have
> the wicket sources?
>
> **
> Martin
>
> to 9. huhtik. 2020 klo 10.27 ShengChe Hsiao (front...@gmail.com)
> kirjoitti:
>
> > Dear all
> >
> > I use built-in ajax dropdownchoice component, it's default payload is xml
> > entity, but if I need to prevent xml injection ,how can i do?
> >
> >
> > 
> > --->
> > To boldly go where no man has gone before.
> > 
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > -
> > -->
> > If I have seen further it is by standing on the shoulders of giants.
> > --
> > ->
> > front...@gmail.com
> >
> >
> ->
> >
>


-- 

--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->

Re: About XML Injection

2020-04-09 Thread Martin Terra

You could override some of the methods that do the injecting. Do you have
the wicket sources?

**
Martin

to 9. huhtik. 2020 klo 10.27 ShengChe Hsiao (front...@gmail.com) kirjoitti:

> Dear all
>
> I use built-in ajax dropdownchoice component, it's default payload is xml
> entity, but if I need to prevent xml injection ,how can i do?
>
>
> 
> --->
> To boldly go where no man has gone before.
> 
> --->
> We do this not because it is easy. We do this because it is hard.
> -
> -->
> If I have seen further it is by standing on the shoulders of giants.
> --
> ->
> front...@gmail.com
>
> ->
>

About XML Injection

2020-04-09 Thread ShengChe Hsiao

Dear all

I use built-in ajax dropdownchoice component, it's default payload is xml
entity, but if I need to prevent xml injection ,how can i do?



--->
To boldly go where no man has gone before.

--->
We do this not because it is easy. We do this because it is hard.
-
-->
If I have seen further it is by standing on the shoulders of giants.
--
->
front...@gmail.com
->

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

Re: About XML Injection

About XML Injection

19 matches

Site Navigation

Mail list logo

Footer information