No need, Wicket escapes your model objects, see Component#setEscapeModelStrings(true) for when HTML should be escaped and thus the browser won't execute it as HTML or JS. http://ci.apache.org/projects/wicket/apidocs/6.x/org/apache/wicket/Component.html#setEscapeModelStrings(boolean)
That is on by default, so you should switch to using a wicket model for your label. See the bottom section 11.1 "What is a model?" of the wicket free guide at: http://wicket.apache.org/guide/guide/modelsforms.html#modelsforms_1 Also, older Wicket in Action: http://www.javaranch.com/journal/2008/10/using-wicket-labels-and-links.html On Wed, Jan 29, 2014 at 12:26 PM, Gonzalo Aguilar Delgado < gagui...@aguilardelgado.com> wrote: > Hi there, > > I'm building an application for a client and my security advisor told me > about a XSS attack that can be performed on the site. > > When user logs-in I welcome they by Saying "Hello user". > > <div class="thumbnail"> > <p wicket:id="message"> > Hello ${realName}. > Welcome to the Synapse web. > </p> > </div> > > > As you can see I use I18N so this is not the real text that will show up, > but's similar. > > I used to think that wicket validated output before building web but the > white hat hacked it by just putting a fake name into the database. Too easy > for me... > > The content of realName is: > > '';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()} > > > So I ended with: > > Hello<b>'';!--"<script>alert('XSS')</script>=&{()} > > In the web page. And the script executed on login. > > I was thinking about baking a method into my DAO classes to validate > everything that goes to the database. But it should be a better solution. > > Can you point me to right one? > > > > Best regards, > > >