Simon,
If you use ResponseWriter.witeText(), any <script> elements would be
definitely escaped.
Max
Simon Kulessa wrote:
Hello,
I have received word that there is some trouble with my signature,
so I send the mail again, this time without it.
Best regards,
Simon Kulessa.
---
Hello,
I have written my own component to display messages inside a jsf page.
The component is based on the tr:messages Element.
My implementation of the renderer uses the following code to write the
message into the page.
//ResponseWriter writer
for(FacesMessage msg : messages) {
writer.startElement("li", null);
String summary = msg.getSummary();
// add something to prevent xss attacks here
writer.write(summary);
writer.endElement("li");
}
The bad thing is that msg.getSummary() can contain JavaScript code -
which will be executed if the page is rendered. I need to add some
kind of prevention against this behaviour.
I assume that Trinidad offers some mechanisms to prevent
these kind of attacks. Can someone give me some hints?
Best regards,
Simon Kulessa.
