Re: Preventing user input script-injection attacks

2010-11-29 Thread Ian Marshall

Igor

I was unaware of the class org.apache.wicket.util.string.Strings, let alone
that package. The Strings.escapeMarkup(...) method you mentioned fits my
needs exactly. Thank you.


Michał
--
Thank you also for your tip. I shall be using the Wicket method that Igor
mentioned. I shall also be having a play with that package to see what else
is there!


Regards,

Ian
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3064004.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Preventing user input script-injection attacks

2010-11-26 Thread Ian Marshall

Hello Igor,

I remain an Ant person for now and not a Maven person, so instead of a
quickstart project I attach HTML and Java code for a Wicket test page:

  
http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.html
PageSpecificTest.html 
  
http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.java
PageSpecificTest.java 

I commented out the log output in case you use a different log output method
to me.

This web page accepts input in a TextField and TextAreaString component,
and after form submission it renders this input in both the original
components and also as copied to a Label and TextArea component
respectively.

My results are that Wicket does indeed escape the mark-up in rendered
components automatically. However, the strings stored in the components'
models are not escaped.

To save you running the attached Wicket web page, I set out my
post-submission results below. Firstly is some log output from the component
models, and then the page source of the four components mentioned above:


  26-Nov-2010 13:43:14 [...].PageSpecificTest doSubmit
   FINE: g_pstdData data member values are:
sSingleLineInput  = /body
sMultiLineInput   = !--.


input type=text wicket:id=sSingleLineInput size=40 tabindex=1
value=amp;lt;/bodyamp;gt; name=sSingleLineInput/

lt;span wicket:id=sSingleLineOutputamp;lt;/bodyamp;gt;

textarea wicket:id=sMultiLineInput cols=50 rows=10 tabindex=2
name=sMultiLineInputamp;lt;!--/textarea

textarea wicket:id=sMultiLineOutput cols=50 rows=10 tabindex=4
name=sMultiLineOutputamp;lt;!--/textarea


Is this expected Wicket behaviour? If so, then I shall need to strip
scripting from the model strings myself (hopefully using one of the examples
kindly supplied already in this topic). If not, then I submit this post for
your evaluation.

(I raise this topic because I build an address in Java code from several
address elements, each one gathered by a TextField component. I then output
the resultant address, which currently allows scripting through without
having been escaped.)

I looking forward to hearing any views,

Ian
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3060397.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Preventing user input script-injection attacks

2010-11-26 Thread Igor Vaynberg
yes, we only escape on the output. escaping the input itself makes
little sense. if you want to escape the input before you store it use
Strings.escapeMarkup() util method.

-igor

On Fri, Nov 26, 2010 at 6:34 AM, Ian Marshall ianmarshall...@gmail.com wrote:

 Hello Igor,

 I remain an Ant person for now and not a Maven person, so instead of a
 quickstart project I attach HTML and Java code for a Wicket test page:


 http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.html
 PageSpecificTest.html

 http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.java
 PageSpecificTest.java

 I commented out the log output in case you use a different log output method
 to me.

 This web page accepts input in a TextField and TextAreaString component,
 and after form submission it renders this input in both the original
 components and also as copied to a Label and TextArea component
 respectively.

 My results are that Wicket does indeed escape the mark-up in rendered
 components automatically. However, the strings stored in the components'
 models are not escaped.

 To save you running the attached Wicket web page, I set out my
 post-submission results below. Firstly is some log output from the component
 models, and then the page source of the four components mentioned above:


  26-Nov-2010 13:43:14 [...].PageSpecificTest doSubmit
   FINE: g_pstdData data member values are:
    sSingleLineInput  = /body
    sMultiLineInput   = !--.


 input type=text wicket:id=sSingleLineInput size=40 tabindex=1
 value=amp;lt;/bodyamp;gt; name=sSingleLineInput/

 lt;span wicket:id=sSingleLineOutputamp;lt;/bodyamp;gt;

 textarea wicket:id=sMultiLineInput cols=50 rows=10 tabindex=2
 name=sMultiLineInputamp;lt;!--/textarea

 textarea wicket:id=sMultiLineOutput cols=50 rows=10 tabindex=4
 name=sMultiLineOutputamp;lt;!--/textarea


 Is this expected Wicket behaviour? If so, then I shall need to strip
 scripting from the model strings myself (hopefully using one of the examples
 kindly supplied already in this topic). If not, then I submit this post for
 your evaluation.

 (I raise this topic because I build an address in Java code from several
 address elements, each one gathered by a TextField component. I then output
 the resultant address, which currently allows scripting through without
 having been escaped.)

 I looking forward to hearing any views,

 Ian
 --
 View this message in context: 
 http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3060397.html
 Sent from the Users forum mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Preventing user input script-injection attacks

2010-11-25 Thread Ian Marshall

If a user has entered some HTML in a TextField or TextAreaString when I do
not want HTML to be entered, what is a good way to prevent this?

Currently, I store the offending strings and then render them using a Label
or MultiLineLabel, but for neither component does

  Component.setEscapeModelStrings(true);

have an effect (presumably since this setting is already true by default).

Am I condemned to coding a method to examine the models of my TextField and
TextAreaString components at form-submission-time and remove any HTML code
manually?

Any comments would be appreciated,

Ian
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Preventing user input script-injection attacks

2010-11-25 Thread Martin Makundi
Hi!

I think there are libraries that can provide you with scripting
detection or escaping...

However, I do not want HTML to be entered is quite vaque rule. Even
plain alphabets are html.

**
Martin

2010/11/25 Ian Marshall ianmarshall...@gmail.com:

 If a user has entered some HTML in a TextField or TextAreaString when I do
 not want HTML to be entered, what is a good way to prevent this?

 Currently, I store the offending strings and then render them using a Label
 or MultiLineLabel, but for neither component does

  Component.setEscapeModelStrings(true);

 have an effect (presumably since this setting is already true by default).

 Am I condemned to coding a method to examine the models of my TextField and
 TextAreaString components at form-submission-time and remove any HTML code
 manually?

 Any comments would be appreciated,

 Ian
 --
 View this message in context: 
 http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html
 Sent from the Users forum mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Preventing user input script-injection attacks

2010-11-25 Thread Patrick Petermair

Am 2010-11-25 16:15, schrieb Ian Marshall:


If a user has entered some HTML in a TextField or TextAreaString  when I do
not want HTML to be entered, what is a good way to prevent this?


In our project we are using OWASP Antisamy to prevent XSS attacks. It is 
easy to use, has a couple templates (slashdot, ebay,..) and works like a 
charm.


http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
http://code.google.com/p/owaspantisamy/

Regards,
Patrick

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Preventing user input script-injection attacks

2010-11-25 Thread Ian Marshall

Sorry about that. By I do not want HTML to be entered I meant character
strings which are rendered by a browser additional to, or instead of, being
displayed as that character string. Examples are:

  !--

  /body

  onclick='[Some nasty JavaScript]';

Basically, I want to remove nasty code being injected into future rendered
HTML by user input.
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059321.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Preventing user input script-injection attacks

2010-11-25 Thread Ian Marshall

Thanks for that, Patrick.

I'll take a look at these tomorrow to see what they have got.
-- 
View this message in context: 
http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059322.html
Sent from the Users forum mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Preventing user input script-injection attacks

2010-11-25 Thread Igor Vaynberg
wicket should already escape the markup for you. please provide a
quickstart where it is not doing it.

-igor

On Thu, Nov 25, 2010 at 7:15 AM, Ian Marshall ianmarshall...@gmail.com wrote:

 If a user has entered some HTML in a TextField or TextAreaString when I do
 not want HTML to be entered, what is a good way to prevent this?

 Currently, I store the offending strings and then render them using a Label
 or MultiLineLabel, but for neither component does

  Component.setEscapeModelStrings(true);

 have an effect (presumably since this setting is already true by default).

 Am I condemned to coding a method to examine the models of my TextField and
 TextAreaString components at form-submission-time and remove any HTML code
 manually?

 Any comments would be appreciated,

 Ian
 --
 View this message in context: 
 http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html
 Sent from the Users forum mailing list archive at Nabble.com.

 -
 To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
 For additional commands, e-mail: users-h...@wicket.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Preventing user input script-injection attacks

2010-11-25 Thread Michał Letyński

You can also try to use:

http://nekohtml.sourceforge.net/

W dniu 2010-11-25 18:39, Ian Marshall pisze:

Thanks for that, Patrick.

I'll take a look at these tomorrow to see what they have got.




-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org