Hello, I have written my own component to display messages inside a jsf page. The component is based on the tr:messages Element.My implementation of the renderer uses the following code to write the message into the page.
//ResponseWriter writer
for(FacesMessage msg : messages) {
writer.startElement("li", null);
String summary = msg.getSummary();
// add something to prevent xss attacks here
writer.write(summary);
writer.endElement("li");
}
The bad thing is that msg.getSummary() can contain JavaScript code -
which will be executed if the page is rendered. I need to add some
kind of prevention against this behaviour. I assume that Trinidad offers some mechanisms to prevent these kind of attacks. Can someone give me some hints? Best regards, Simon Kulessa. -- Diplom Informatiker Simon Kulessa FlexSecure GmbH Industriestr. 12 D - 64297 Darmstadt Tel: +49 (0) 6151 501 23-15 Fax: +49 (0) 6151 501 23-19 E-Mail:[email protected] Internet:www.flexsecure.de Geschäftsführer: Erwin Stallenberger, Markus Ruppert Amtsgericht Darmstadt HRB 8036 Umsatzsteuernummer: DE 214745269
smime.p7s
Description: S/MIME Cryptographic Signature
