I got a report , it suggest our web site to deal with xml injection issue. We use DropDownChoice with OnChangeAjaxBehavior to invoke another DropDownChoice via wicket-ajax buit-in xml payload, and the reporters used Burpsuite to inject xml on xmlpayload, such as inject &xxe;
[image: image.png] and resulted in some abnormal response [image: image.png] As a result, I have to prevent the xml injection, do I check the entire payload or only check there value we need ? On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <mgrigo...@apache.org> wrote: > On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <shengchehs...@gmail.com> > wrote: > > > Yes, I need to know overriding which methods > > > > I still do not understand what exactly you need to accomplish. > Please be more specific! > > > > > > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <mgrigo...@apache.org> > wrote: > > > > > Hi, > > > > > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <front...@gmail.com> > > wrote: > > > > > > > Dear all > > > > > > > > I use built-in ajax dropdownchoice component, it's default payload is > > xml > > > > entity, but if I need to prevent xml injection ,how can i do? > > > > > > > > > > Could you please give some more information what exactly you need? > > > > > > > > > > > > > > > > > > -------------------------------------------------------------------- > > > > -----------------------------------> > > > > To boldly go where no man has gone before. > > > > -------------------------------------------------------------------- > > > > -----------------------------------> > > > > We do this not because it is easy. We do this because it is hard. > > > > ----------------------------------------------------------------- > > > > --------------------------------------> > > > > If I have seen further it is by standing on the shoulders of giants. > > > > ---------------------------------------------------------- > > > > ---------------------------------------------> > > > > front...@gmail.com > > > > > > > > > > > > > > ---------------------------------------------------------------------------------------------> > > > > > > > > > -- > > > > -----------------------------------------------------------------------> > > We do this not because it is easy. We do this because it is hard. > > -----------------------------------------------------------------------> > > ShengChe Hsiao > > -----------------------------------------------------------------------> > > front...@gmail.com > > front...@tc.edu.tw > > -----------------------------------------------------------------------> > > VoIP : 070-910-2450 > > -----------------------------------------------------------------------> > > > -- -----------------------------------------------------------------------> We do this not because it is easy. We do this because it is hard. -----------------------------------------------------------------------> ShengChe Hsiao -----------------------------------------------------------------------> front...@gmail.com front...@tc.edu.tw -----------------------------------------------------------------------> VoIP : 070-910-2450 ----------------------------------------------------------------------->
