On Thu, Jan 30, 2014 at 10:26 AM, Steve <shadders....@gmail.com> wrote:
> It looks like an EL expression but it's not wicket-el because it escapes > output the same way wicket does... > > speaking of I must get off my butt and work out how to import it into > wicketstuff... I've made all the changes that wicket 6.13 enabled. > +1 ping me if you need help > > On 30/01/14 19:03, Martin Grigorov wrote: > > Hi, > > > > On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado < > > gagui...@aguilardelgado.com> wrote: > > > >> Hi there, > >> > >> I'm building an application for a client and my security advisor told me > >> about a XSS attack that can be performed on the site. > >> > >> When user logs-in I welcome they by Saying "Hello user". > >> > >> <div class="thumbnail"> > >> <p wicket:id="message"> > >> Hello ${realName}. > >> > > How do you substitute the value of ${realName} ? > > Wicket doesn't support such placeholders. > > > > The Wicket syntax would be: Hello <span wicket:id="realName"></span>. > > Together with: page.add(new Label("realName", "Some Name"); > > > > > >> Welcome to the Synapse web. > >> </p> > >> </div> > >> > >> > >> As you can see I use I18N so this is not the real text that will show > up, > >> but's similar. > >> > >> I used to think that wicket validated output before building web but the > >> white hat hacked it by just putting a fake name into the database. Too > easy > >> for me... > >> > >> The content of realName is: > >> > >> '';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()} > >> > >> > >> So I ended with: > >> > >> Hello<b>'';!--"<script>alert('XSS')</script>=&{()} > >> > >> In the web page. And the script executed on login. > >> > >> I was thinking about baking a method into my DAO classes to validate > >> everything that goes to the database. But it should be a better > solution. > >> > >> Can you point me to right one? > >> > >> > >> > >> Best regards, > >> > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >