Hi there,

I'm building an application for a client and my security advisor told me about a XSS attack that can be performed on the site.

When user logs-in I welcome they by Saying "Hello user".

<div class="thumbnail">
                    <p wicket:id="message">
                        Hello ${realName}.
                        Welcome to the Synapse web.

As you can see I use I18N so this is not the real text that will show up, but's similar.

I used to think that wicket validated output before building web but the white hat hacked it by just putting a fake name into the database. Too easy for me...

The content of realName is:


So I ended with:


In the web page. And the script executed on login.

I was thinking about baking a method into my DAO classes to validate everything 
that goes to the database. But it should be a better solution.

Can you point me to right one?

Best regards,

Reply via email to