I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.
When user logs-in I welcome they by Saying "Hello user".
Welcome to the Synapse web.
As you can see I use I18N so this is not the real text that will show
up, but's similar.
I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too
easy for me...
The content of realName is:
So I ended with:
In the web page. And the script executed on login.
I was thinking about baking a method into my DAO classes to validate everything
that goes to the database. But it should be a better solution.
Can you point me to right one?