Re: XSS in wicket. Wicket fault or my fault?
Hi Bas, Thank you for the reference, I forgot this one. I updated the code. Thank you for reference. It's better with StringResourceModel... :D El 30/01/14 11:22, Bas Gooren escribió: Hi! You can also replace your Label's model with a StringResourceModel. See http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html Met vriendelijke groet, Kind regards, Bas Gooren schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17: Hi Martin, This is how I've done it. label = new Label("message", getString("main.message", new Model(authSession.getUser(; label.setOutputMarkupId(true); And in the MainTmsPage.properties I have: main.message=Hello ${realName}. Welcome to the Technoactivity Payment Solutions main page. And it worked! El 30/01/14 10:03, Martin Grigorov escribió: Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado < gagui...@aguilardelgado.com> wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying "Hello user". Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello . Together with: page.add(new Label("realName", "Some Name"); Welcome to the Synapse web. As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--"alert('XSS')=&{()} So I ended with: Hello'';!--"alert('XSS')=&{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi! You can also replace your Label's model with a StringResourceModel. See http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/model/StringResourceModel.html Met vriendelijke groet, Kind regards, Bas Gooren schreef Gonzalo Aguilar Delgado op 30-1-2014 11:17: Hi Martin, This is how I've done it. label = new Label("message", getString("main.message", new Model(authSession.getUser(; label.setOutputMarkupId(true); And in the MainTmsPage.properties I have: main.message=Hello ${realName}. Welcome to the Technoactivity Payment Solutions main page. And it worked! El 30/01/14 10:03, Martin Grigorov escribió: Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado < gagui...@aguilardelgado.com> wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying "Hello user". Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello . Together with: page.add(new Label("realName", "Some Name"); Welcome to the Synapse web. As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--"alert('XSS')=&{()} So I ended with: Hello'';!--"alert('XSS')=&{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Paul, you were right!!! I did label.setEscapeModelStrings(false); in code. So I can show bold text... That was my fault! Best regards, El 29/01/14 21:29, Paul Bors escribió: No need, Wicket escapes your model objects, see Component#setEscapeModelStrings(true) for when HTML should be escaped and thus the browser won't execute it as HTML or JS. http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean) That is on by default, so you should switch to using a wicket model for your label. See the bottom section 11.1 "What is a model?" of the wicket free guide at: http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1 Also, older Wicket in Action: http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado < gagui...@aguilardelgado.com> wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying "Hello user". Hello ${realName}. Welcome to the Synapse web. As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--"alert('XSS')=&{()} So I ended with: Hello'';!--"alert('XSS')=&{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi Martin, This is how I've done it. label = new Label("message", getString("main.message", new Model(authSession.getUser(; label.setOutputMarkupId(true); And in the MainTmsPage.properties I have: main.message=Hello ${realName}. Welcome to the Technoactivity Payment Solutions main page. And it worked! El 30/01/14 10:03, Martin Grigorov escribió: Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado < gagui...@aguilardelgado.com> wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying "Hello user". Hello ${realName}. How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello . Together with: page.add(new Label("realName", "Some Name"); Welcome to the Synapse web. As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--"alert('XSS')=&{()} So I ended with: Hello'';!--"alert('XSS')=&{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi I will take a look. maybe I did it to allow html rendering on label. Will tell you. Thank you a lot for references. El 29/01/14 21:29, Paul Bors escribió: No need, Wicket escapes your model objects, see Component#setEscapeModelStrings(true) for when HTML should be escaped and thus the browser won't execute it as HTML or JS. http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean) That is on by default, so you should switch to using a wicket model for your label. See the bottom section 11.1 "What is a model?" of the wicket free guide at: http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1 Also, older Wicket in Action: http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado < gagui...@aguilardelgado.com> wrote: Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying "Hello user". Hello ${realName}. Welcome to the Synapse web. As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--"alert('XSS')=&{()} So I ended with: Hello'';!--"alert('XSS')=&{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards, - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
On Thu, Jan 30, 2014 at 10:26 AM, Steve wrote: > It looks like an EL expression but it's not wicket-el because it escapes > output the same way wicket does... > > speaking of I must get off my butt and work out how to import it into > wicketstuff... I've made all the changes that wicket 6.13 enabled. > +1 ping me if you need help > > On 30/01/14 19:03, Martin Grigorov wrote: > > Hi, > > > > On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado < > > gagui...@aguilardelgado.com> wrote: > > > >> Hi there, > >> > >> I'm building an application for a client and my security advisor told me > >> about a XSS attack that can be performed on the site. > >> > >> When user logs-in I welcome they by Saying "Hello user". > >> > >> > >> > >> Hello ${realName}. > >> > > How do you substitute the value of ${realName} ? > > Wicket doesn't support such placeholders. > > > > The Wicket syntax would be: Hello . > > Together with: page.add(new Label("realName", "Some Name"); > > > > > >> Welcome to the Synapse web. > >> > >> > >> > >> > >> As you can see I use I18N so this is not the real text that will show > up, > >> but's similar. > >> > >> I used to think that wicket validated output before building web but the > >> white hat hacked it by just putting a fake name into the database. Too > easy > >> for me... > >> > >> The content of realName is: > >> > >> '';!--"alert('XSS')=&{()} > >> > >> > >> So I ended with: > >> > >> Hello'';!--"alert('XSS')=&{()} > >> > >> In the web page. And the script executed on login. > >> > >> I was thinking about baking a method into my DAO classes to validate > >> everything that goes to the database. But it should be a better > solution. > >> > >> Can you point me to right one? > >> > >> > >> > >> Best regards, > >> > >> > >> > > > - > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >
Re: XSS in wicket. Wicket fault or my fault?
It looks like an EL expression but it's not wicket-el because it escapes output the same way wicket does... speaking of I must get off my butt and work out how to import it into wicketstuff... I've made all the changes that wicket 6.13 enabled. On 30/01/14 19:03, Martin Grigorov wrote: > Hi, > > On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado < > gagui...@aguilardelgado.com> wrote: > >> Hi there, >> >> I'm building an application for a client and my security advisor told me >> about a XSS attack that can be performed on the site. >> >> When user logs-in I welcome they by Saying "Hello user". >> >> >> >> Hello ${realName}. >> > How do you substitute the value of ${realName} ? > Wicket doesn't support such placeholders. > > The Wicket syntax would be: Hello . > Together with: page.add(new Label("realName", "Some Name"); > > >> Welcome to the Synapse web. >> >> >> >> >> As you can see I use I18N so this is not the real text that will show up, >> but's similar. >> >> I used to think that wicket validated output before building web but the >> white hat hacked it by just putting a fake name into the database. Too easy >> for me... >> >> The content of realName is: >> >> '';!--"alert('XSS')=&{()} >> >> >> So I ended with: >> >> Hello'';!--"alert('XSS')=&{()} >> >> In the web page. And the script executed on login. >> >> I was thinking about baking a method into my DAO classes to validate >> everything that goes to the database. But it should be a better solution. >> >> Can you point me to right one? >> >> >> >> Best regards, >> >> >> - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: XSS in wicket. Wicket fault or my fault?
Hi, On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado < gagui...@aguilardelgado.com> wrote: > Hi there, > > I'm building an application for a client and my security advisor told me > about a XSS attack that can be performed on the site. > > When user logs-in I welcome they by Saying "Hello user". > > > > Hello ${realName}. > How do you substitute the value of ${realName} ? Wicket doesn't support such placeholders. The Wicket syntax would be: Hello . Together with: page.add(new Label("realName", "Some Name"); > Welcome to the Synapse web. > > > > > As you can see I use I18N so this is not the real text that will show up, > but's similar. > > I used to think that wicket validated output before building web but the > white hat hacked it by just putting a fake name into the database. Too easy > for me... > > The content of realName is: > > '';!--"alert('XSS')=&{()} > > > So I ended with: > > Hello'';!--"alert('XSS')=&{()} > > In the web page. And the script executed on login. > > I was thinking about baking a method into my DAO classes to validate > everything that goes to the database. But it should be a better solution. > > Can you point me to right one? > > > > Best regards, > > >
Re: XSS in wicket. Wicket fault or my fault?
No need, Wicket escapes your model objects, see Component#setEscapeModelStrings(true) for when HTML should be escaped and thus the browser won't execute it as HTML or JS. http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean) That is on by default, so you should switch to using a wicket model for your label. See the bottom section 11.1 "What is a model?" of the wicket free guide at: http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1 Also, older Wicket in Action: http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado < gagui...@aguilardelgado.com> wrote: > Hi there, > > I'm building an application for a client and my security advisor told me > about a XSS attack that can be performed on the site. > > When user logs-in I welcome they by Saying "Hello user". > > > > Hello ${realName}. > Welcome to the Synapse web. > > > > > As you can see I use I18N so this is not the real text that will show up, > but's similar. > > I used to think that wicket validated output before building web but the > white hat hacked it by just putting a fake name into the database. Too easy > for me... > > The content of realName is: > > '';!--"alert('XSS')=&{()} > > > So I ended with: > > Hello'';!--"alert('XSS')=&{()} > > In the web page. And the script executed on login. > > I was thinking about baking a method into my DAO classes to validate > everything that goes to the database. But it should be a better solution. > > Can you point me to right one? > > > > Best regards, > > >
XSS in wicket. Wicket fault or my fault?
Hi there, I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site. When user logs-in I welcome they by Saying "Hello user". Hello ${realName}. Welcome to the Synapse web. As you can see I use I18N so this is not the real text that will show up, but's similar. I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me... The content of realName is: '';!--"alert('XSS')=&{()} So I ended with: Hello'';!--"alert('XSS')=&{()} In the web page. And the script executed on login. I was thinking about baking a method into my DAO classes to validate everything that goes to the database. But it should be a better solution. Can you point me to right one? Best regards,