On Thu, Feb 28, 2008 at 7:53 AM, Nick Heudecker <[EMAIL PROTECTED]> wrote:
> Hi Arthur,
>
> While I can't address all of your concerns, I can address a couple.
>
> > 1. ESCAPING CHARACTERS: I have read in wicket's mailing list that all
> > wicket
> > components escape values. I have done some tests in "wicket-examples"
> > application distributed in wicket-1.3.1 release and I have modified, in
> > FormInput.properties file, value of key "string" with this value
> > "<script>alert("xss");</script>" and I see that this script is executed
> > when
> > I load the page with this message key. So, i don't know if all components
> > escape or not values!
>
>
> I'm not familiar with that example, but from my experience, Wicket
> components escape HTML unless specifically told otherwise.
I dont think we escape certain values that come from .properties
files. These files are maintained by programmers and are never written
to by users, so whats the point of escaping them?
> > 2. INTEGRITY: Actualy in my bank application we have hidden fileds in our
> > forms to store critical values and I want to know if wicket by default
> > guarantees data integrity or not. I want to guarantee integrity like HDIV
> > does in Struts and Spring MVC apps... is it possible in wicket?
>
> Hidden fields are not required with Wicket applications since the data that
> was formerly stored in hidden fields in other frameworks is maintained in
> Wicket's model classes. I had a hard time understanding this at first as
> well, but the essential element is you don't need hidden fields in Wicket
> applications.
right. to put it simpler - what used to be in hidden fields is now
stored in session
> > I have read in wicket's documentation that it is possible to encrypt urls
> > ensuring integrity (
> > http://cwiki.apache.org/WICKET/url-coding-strategies.html) but is it
> > possible to apply this strategy to forms? Or data tampering attacks are
> > possible in wicket forms with hidden fields?
> >
> > So, can Wicket ensure data integrity?
Since hidden values are stored in session instead - yes. Users cannot
temper with things you do not explicitly expose.
> > 4. RANDOM TOKENS: I want to avoid CSRF attacks and I have read (
> > http://www.owasp.org/index.php/Top_10_2007-A5) that a possible solution is
> > to add random tokens to all requests. Is it possible to add a random
> > parameter to requests automatically in wicket?
Wicket urls are already session-relative and somewhat random (depend
on the path you take through the application), so I am not sure if
anything more needs to be done...
-igor
>
>
> Perhaps someone else can chime in here, but I don't think this is a problem
> with Wicket applications.
>
>
>
>
> >
> >
> > I need your help to answer this questions, pls!
> >
> > thanks!
> >
> > [1]
> >
> >
> http://www.nabble.com/Shout-more-about-security-advantages-of-Wicket--to14800934.html#a14816425
> > [2] http://www.hdiv.org/docs/hdiv-reference.pdf
> >
>
>
>
> --
> Nick Heudecker
> Professional Wicket Training & Consulting
> http://www.systemmobile.com
>
> Eventful - Intelligent Event Management
> http://www.eventfulhq.com
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
