It looks like an EL expression but it's not wicket-el because it escapes output the same way wicket does...
speaking of I must get off my butt and work out how to import it into wicketstuff... I've made all the changes that wicket 6.13 enabled. On 30/01/14 19:03, Martin Grigorov wrote: > Hi, > > On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado < > gagui...@aguilardelgado.com> wrote: > >> Hi there, >> >> I'm building an application for a client and my security advisor told me >> about a XSS attack that can be performed on the site. >> >> When user logs-in I welcome they by Saying "Hello user". >> >> <div class="thumbnail"> >> <p wicket:id="message"> >> Hello ${realName}. >> > How do you substitute the value of ${realName} ? > Wicket doesn't support such placeholders. > > The Wicket syntax would be: Hello <span wicket:id="realName"></span>. > Together with: page.add(new Label("realName", "Some Name"); > > >> Welcome to the Synapse web. >> </p> >> </div> >> >> >> As you can see I use I18N so this is not the real text that will show up, >> but's similar. >> >> I used to think that wicket validated output before building web but the >> white hat hacked it by just putting a fake name into the database. Too easy >> for me... >> >> The content of realName is: >> >> '';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()} >> >> >> So I ended with: >> >> Hello<b>'';!--"<script>alert('XSS')</script>=&{()} >> >> In the web page. And the script executed on login. >> >> I was thinking about baking a method into my DAO classes to validate >> everything that goes to the database. But it should be a better solution. >> >> Can you point me to right one? >> >> >> >> Best regards, >> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org