Re: XSS vulnerability
Hi All, please ignore this. We found the issue - it was due to AbstractBehavior that was being added to the textfields that outputs the raw value in a div before escaping it. On Wed, May 7, 2014 at 11:23 AM, Wayne W wrote: > Hi > > Its been brought to my attention that wicket seems to be XSS vulnerable. > We have a public internet facing form, and by simply putting > > > > In the fields you can get a js prompt appearing. As add the fields have > validators on them, all code is passing through the wicket based code. If > there any way to stop this? > > We're using wicket 1.4.21 but I've also just tried with the latest version > of wicket with the same response. > > Its a standard form and we're not setting setEscapeModelStrings or > anything. > > How can we sanitise the fields on an onError? > > thanks >
Re: XSS vulnerability
Hi, Wicket do not process HTML elements without wicket:id attribute. Such markup is rendered as is. You can use custom IResponseFilter to manipulate the markup though. See org.apache.wicket.response.filter.EmptySrcAttributeCheckFilter for example. Martin Grigorov Wicket Training and Consulting On Wed, May 7, 2014 at 1:23 PM, Wayne W wrote: > Hi > > Its been brought to my attention that wicket seems to be XSS vulnerable. We > have a public internet facing form, and by simply putting > > > > In the fields you can get a js prompt appearing. As add the fields have > validators on them, all code is passing through the wicket based code. If > there any way to stop this? > > We're using wicket 1.4.21 but I've also just tried with the latest version > of wicket with the same response. > > Its a standard form and we're not setting setEscapeModelStrings or > anything. > > How can we sanitise the fields on an onError? > > thanks >