It looks like an EL expression but it's not wicket-el because it escapes
output the same way wicket does...
speaking of I must get off my butt and work out how to import it into
wicketstuff... I've made all the changes that wicket 6.13 enabled.
On 30/01/14 19:03, Martin Grigorov wrote:
> Hi,
>
> On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
> gagui...@aguilardelgado.com> wrote:
>
>> Hi there,
>>
>> I'm building an application for a client and my security advisor told me
>> about a XSS attack that can be performed on the site.
>>
>> When user logs-in I welcome they by Saying "Hello user".
>>
>> <div class="thumbnail">
>> <p wicket:id="message">
>> Hello ${realName}.
>>
> How do you substitute the value of ${realName} ?
> Wicket doesn't support such placeholders.
>
> The Wicket syntax would be: Hello <span wicket:id="realName"></span>.
> Together with: page.add(new Label("realName", "Some Name");
>
>
>> Welcome to the Synapse web.
>> </p>
>> </div>
>>
>>
>> As you can see I use I18N so this is not the real text that will show up,
>> but's similar.
>>
>> I used to think that wicket validated output before building web but the
>> white hat hacked it by just putting a fake name into the database. Too easy
>> for me...
>>
>> The content of realName is:
>>
>> '';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()}
>>
>>
>> So I ended with:
>>
>> Hello<b>'';!--"<script>alert('XSS')</script>=&{()}
>>
>> In the web page. And the script executed on login.
>>
>> I was thinking about baking a method into my DAO classes to validate
>> everything that goes to the database. But it should be a better solution.
>>
>> Can you point me to right one?
>>
>>
>>
>> Best regards,
>>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
