yes, we only escape on the output. escaping the input itself makes little sense. if you want to escape the input before you store it use Strings.escapeMarkup() util method.
-igor On Fri, Nov 26, 2010 at 6:34 AM, Ian Marshall <ianmarshall...@gmail.com> wrote: > > Hello Igor, > > I remain an Ant person for now and not a Maven person, so instead of a > quickstart project I attach HTML and Java code for a Wicket test page: > > > http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.html > PageSpecificTest.html > > http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.java > PageSpecificTest.java > > I commented out the log output in case you use a different log output method > to me. > > This web page accepts input in a TextField and TextArea<String> component, > and after form submission it renders this input in both the original > components and also as copied to a Label and TextArea component > respectively. > > My results are that Wicket does indeed escape the mark-up in rendered > components automatically. However, the strings stored in the components' > models are not escaped. > > To save you running the attached Wicket web page, I set out my > post-submission results below. Firstly is some log output from the component > models, and then the page source of the four components mentioned above: > > > 26-Nov-2010 13:43:14 [...].PageSpecificTest doSubmit > FINE: g_pstdData data member values are: > sSingleLineInput = "</body>" > sMultiLineInput = "<!--". > > > <input type="text" wicket:id="sSingleLineInput" size="40" tabindex="1" > value="&lt;/body&gt;" name="sSingleLineInput"/> > > <span wicket:id="sSingleLineOutput">&lt;/body&gt; > > <textarea wicket:id="sMultiLineInput" cols="50" rows="10" tabindex="2" > name="sMultiLineInput">&lt;!--</textarea> > > <textarea wicket:id="sMultiLineOutput" cols="50" rows="10" tabindex="4" > name="sMultiLineOutput">&lt;!--</textarea> > > > Is this expected Wicket behaviour? If so, then I shall need to strip > scripting from the model strings myself (hopefully using one of the examples > kindly supplied already in this topic). If not, then I submit this post for > your evaluation. > > (I raise this topic because I build an address in Java code from several > address elements, each one gathered by a TextField component. I then output > the resultant address, which currently allows scripting through without > having been escaped.) > > I looking forward to hearing any views, > > Ian > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3060397.html > Sent from the Users forum mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org