Re: XSS in wicket. Wicket fault or my fault?
Hi Bas,
Thank you for the reference, I forgot this one. I updated the code.
Thank you for reference. It's better with StringResourceModel... :D
El 30/01/14 11:22, Bas Gooren escribió:
Hi!
You can also replace your Label's model with a StringResourceModel.
See
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html
Met vriendelijke groet,
Kind regards,
Bas Gooren
schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17:
Hi Martin,
This is how I've done it.
label = new Label("message", getString("main.message", new
Model(authSession.getUser(;
label.setOutputMarkupId(true);
And in the MainTmsPage.properties I have:
main.message=Hello ${realName}. Welcome to the
Technoactivity Payment Solutions main page.
And it worked!
El 30/01/14 10:03, Martin Grigorov escribió:
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:
Hi there,
I'm building an application for a client and my security advisor
told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying "Hello user".
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello .
Together with: page.add(new Label("realName", "Some Name");
Welcome to the Synapse web.
As you can see I use I18N so this is not the real text that will
show up,
but's similar.
I used to think that wicket validated output before building web
but the
white hat hacked it by just putting a fake name into the database.
Too easy
for me...
The content of realName is:
'';!--"alert('XSS')=&{()}
So I ended with:
Hello'';!--"alert('XSS')=&{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better
solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi!
You can also replace your Label's model with a StringResourceModel.
See
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html
Met vriendelijke groet,
Kind regards,
Bas Gooren
schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17:
Hi Martin,
This is how I've done it.
label = new Label("message", getString("main.message", new
Model(authSession.getUser(;
label.setOutputMarkupId(true);
And in the MainTmsPage.properties I have:
main.message=Hello ${realName}. Welcome to the
Technoactivity Payment Solutions main page.
And it worked!
El 30/01/14 10:03, Martin Grigorov escribió:
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:
Hi there,
I'm building an application for a client and my security advisor
told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying "Hello user".
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello .
Together with: page.add(new Label("realName", "Some Name");
Welcome to the Synapse web.
As you can see I use I18N so this is not the real text that will
show up,
but's similar.
I used to think that wicket validated output before building web but
the
white hat hacked it by just putting a fake name into the database.
Too easy
for me...
The content of realName is:
'';!--"alert('XSS')=&{()}
So I ended with:
Hello'';!--"alert('XSS')=&{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better
solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Paul,
you were right!!!
I did
label.setEscapeModelStrings(false);
in code. So I can show bold text...
That was my fault!
Best regards,
El 29/01/14 21:29, Paul Bors escribió:
No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)
That is on by default, so you should switch to using a wicket model for
your label.
See the bottom section 11.1 "What is a model?" of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1
Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html
On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying "Hello user".
Hello ${realName}.
Welcome to the Synapse web.
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--"alert('XSS')=&{()}
So I ended with:
Hello'';!--"alert('XSS')=&{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Martin,
This is how I've done it.
label = new Label("message", getString("main.message", new
Model(authSession.getUser(;
label.setOutputMarkupId(true);
And in the MainTmsPage.properties I have:
main.message=Hello ${realName}. Welcome to the Technoactivity
Payment Solutions main page.
And it worked!
El 30/01/14 10:03, Martin Grigorov escribió:
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying "Hello user".
Hello ${realName}.
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello .
Together with: page.add(new Label("realName", "Some Name");
Welcome to the Synapse web.
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--"alert('XSS')=&{()}
So I ended with:
Hello'';!--"alert('XSS')=&{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi I will take a look.
maybe I did it to allow html rendering on label. Will tell you.
Thank you a lot for references.
El 29/01/14 21:29, Paul Bors escribió:
No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)
That is on by default, so you should switch to using a wicket model for
your label.
See the bottom section 11.1 "What is a model?" of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1
Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html
On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying "Hello user".
Hello ${realName}.
Welcome to the Synapse web.
As you can see I use I18N so this is not the real text that will show up,
but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...
The content of realName is:
'';!--"alert('XSS')=&{()}
So I ended with:
Hello'';!--"alert('XSS')=&{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
On Thu, Jan 30, 2014 at 10:26 AM, Steve wrote:
> It looks like an EL expression but it's not wicket-el because it escapes
> output the same way wicket does...
>
> speaking of I must get off my butt and work out how to import it into
> wicketstuff... I've made all the changes that wicket 6.13 enabled.
>
+1
ping me if you need help
>
> On 30/01/14 19:03, Martin Grigorov wrote:
> > Hi,
> >
> > On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
> > gagui...@aguilardelgado.com> wrote:
> >
> >> Hi there,
> >>
> >> I'm building an application for a client and my security advisor told me
> >> about a XSS attack that can be performed on the site.
> >>
> >> When user logs-in I welcome they by Saying "Hello user".
> >>
> >>
> >>
> >> Hello ${realName}.
> >>
> > How do you substitute the value of ${realName} ?
> > Wicket doesn't support such placeholders.
> >
> > The Wicket syntax would be: Hello .
> > Together with: page.add(new Label("realName", "Some Name");
> >
> >
> >> Welcome to the Synapse web.
> >>
> >>
> >>
> >>
> >> As you can see I use I18N so this is not the real text that will show
> up,
> >> but's similar.
> >>
> >> I used to think that wicket validated output before building web but the
> >> white hat hacked it by just putting a fake name into the database. Too
> easy
> >> for me...
> >>
> >> The content of realName is:
> >>
> >> '';!--"alert('XSS')=&{()}
> >>
> >>
> >> So I ended with:
> >>
> >> Hello'';!--"alert('XSS')=&{()}
> >>
> >> In the web page. And the script executed on login.
> >>
> >> I was thinking about baking a method into my DAO classes to validate
> >> everything that goes to the database. But it should be a better
> solution.
> >>
> >> Can you point me to right one?
> >>
> >>
> >>
> >> Best regards,
> >>
> >>
> >>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
Re: XSS in wicket. Wicket fault or my fault?
It looks like an EL expression but it's not wicket-el because it escapes
output the same way wicket does...
speaking of I must get off my butt and work out how to import it into
wicketstuff... I've made all the changes that wicket 6.13 enabled.
On 30/01/14 19:03, Martin Grigorov wrote:
> Hi,
>
> On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
> gagui...@aguilardelgado.com> wrote:
>
>> Hi there,
>>
>> I'm building an application for a client and my security advisor told me
>> about a XSS attack that can be performed on the site.
>>
>> When user logs-in I welcome they by Saying "Hello user".
>>
>>
>>
>> Hello ${realName}.
>>
> How do you substitute the value of ${realName} ?
> Wicket doesn't support such placeholders.
>
> The Wicket syntax would be: Hello .
> Together with: page.add(new Label("realName", "Some Name");
>
>
>> Welcome to the Synapse web.
>>
>>
>>
>>
>> As you can see I use I18N so this is not the real text that will show up,
>> but's similar.
>>
>> I used to think that wicket validated output before building web but the
>> white hat hacked it by just putting a fake name into the database. Too easy
>> for me...
>>
>> The content of realName is:
>>
>> '';!--"alert('XSS')=&{()}
>>
>>
>> So I ended with:
>>
>> Hello'';!--"alert('XSS')=&{()}
>>
>> In the web page. And the script executed on login.
>>
>> I was thinking about baking a method into my DAO classes to validate
>> everything that goes to the database. But it should be a better solution.
>>
>> Can you point me to right one?
>>
>>
>>
>> Best regards,
>>
>>
>>
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi,
On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:
> Hi there,
>
> I'm building an application for a client and my security advisor told me
> about a XSS attack that can be performed on the site.
>
> When user logs-in I welcome they by Saying "Hello user".
>
>
>
> Hello ${realName}.
>
How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.
The Wicket syntax would be: Hello .
Together with: page.add(new Label("realName", "Some Name");
> Welcome to the Synapse web.
>
>
>
>
> As you can see I use I18N so this is not the real text that will show up,
> but's similar.
>
> I used to think that wicket validated output before building web but the
> white hat hacked it by just putting a fake name into the database. Too easy
> for me...
>
> The content of realName is:
>
> '';!--"alert('XSS')=&{()}
>
>
> So I ended with:
>
> Hello'';!--"alert('XSS')=&{()}
>
> In the web page. And the script executed on login.
>
> I was thinking about baking a method into my DAO classes to validate
> everything that goes to the database. But it should be a better solution.
>
> Can you point me to right one?
>
>
>
> Best regards,
>
>
>
Re: XSS in wicket. Wicket fault or my fault?
No need, Wicket escapes your model objects, see
Component#setEscapeModelStrings(true) for when HTML should be escaped and
thus the browser won't execute it as HTML or JS.
http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)
That is on by default, so you should switch to using a wicket model for
your label.
See the bottom section 11.1 "What is a model?" of the wicket free guide at:
http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1
Also, older Wicket in Action:
http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html
On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:
> Hi there,
>
> I'm building an application for a client and my security advisor told me
> about a XSS attack that can be performed on the site.
>
> When user logs-in I welcome they by Saying "Hello user".
>
>
>
> Hello ${realName}.
> Welcome to the Synapse web.
>
>
>
>
> As you can see I use I18N so this is not the real text that will show up,
> but's similar.
>
> I used to think that wicket validated output before building web but the
> white hat hacked it by just putting a fake name into the database. Too easy
> for me...
>
> The content of realName is:
>
> '';!--"alert('XSS')=&{()}
>
>
> So I ended with:
>
> Hello'';!--"alert('XSS')=&{()}
>
> In the web page. And the script executed on login.
>
> I was thinking about baking a method into my DAO classes to validate
> everything that goes to the database. But it should be a better solution.
>
> Can you point me to right one?
>
>
>
> Best regards,
>
>
>
XSS in wicket. Wicket fault or my fault?
Hi there,
I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying "Hello user".
Hello ${realName}.
Welcome to the Synapse web.
As you can see I use I18N so this is not the real text that will show
up, but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too
easy for me...
The content of realName is:
'';!--"alert('XSS')=&{()}
So I ended with:
Hello'';!--"alert('XSS')=&{()}
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate everything
that goes to the database. But it should be a better solution.
Can you point me to right one?
Best regards,
