The images didn't make it to the mailing list. Please use some online image paste bin.
On Thu, Apr 9, 2020 at 11:33 AM Shengche Hsiao <shengchehs...@gmail.com> wrote: > I got a report , it suggest our web site to deal with xml injection issue. > We use DropDownChoice with OnChangeAjaxBehavior to invoke another > DropDownChoice via wicket-ajax buit-in xml payload, and the reporters used > Burpsuite to inject xml on xmlpayload, such as inject &xxe; > > [image: image.png] > > and resulted in some abnormal response > > [image: image.png] > > As a result, I have to prevent the xml injection, do I check the entire > payload or only check there value we need ? > > On Thu, Apr 9, 2020 at 4:11 PM Martin Grigorov <mgrigo...@apache.org> > wrote: > >> On Thu, Apr 9, 2020 at 11:09 AM Shengche Hsiao <shengchehs...@gmail.com> >> wrote: >> >> > Yes, I need to know overriding which methods >> > >> >> I still do not understand what exactly you need to accomplish. >> Please be more specific! >> >> >> > >> > On Thu, Apr 9, 2020 at 16:03 Martin Grigorov <mgrigo...@apache.org> >> wrote: >> > >> > > Hi, >> > > >> > > On Thu, Apr 9, 2020 at 10:27 AM ShengChe Hsiao <front...@gmail.com> >> > wrote: >> > > >> > > > Dear all >> > > > >> > > > I use built-in ajax dropdownchoice component, it's default payload >> is >> > xml >> > > > entity, but if I need to prevent xml injection ,how can i do? >> > > > >> > > >> > > Could you please give some more information what exactly you need? >> > > >> > > >> > > > >> > > > >> > > > -------------------------------------------------------------------- >> > > > -----------------------------------> >> > > > To boldly go where no man has gone before. >> > > > -------------------------------------------------------------------- >> > > > -----------------------------------> >> > > > We do this not because it is easy. We do this because it is hard. >> > > > ----------------------------------------------------------------- >> > > > --------------------------------------> >> > > > If I have seen further it is by standing on the shoulders of giants. >> > > > ---------------------------------------------------------- >> > > > ---------------------------------------------> >> > > > front...@gmail.com >> > > > >> > > > >> > > >> > >> ---------------------------------------------------------------------------------------------> >> > > > >> > > >> > -- >> > >> > -----------------------------------------------------------------------> >> > We do this not because it is easy. We do this because it is hard. >> > -----------------------------------------------------------------------> >> > ShengChe Hsiao >> > -----------------------------------------------------------------------> >> > front...@gmail.com >> > front...@tc.edu.tw >> > -----------------------------------------------------------------------> >> > VoIP : 070-910-2450 >> > -----------------------------------------------------------------------> >> > >> > > > -- > > -----------------------------------------------------------------------> > We do this not because it is easy. We do this because it is hard. > -----------------------------------------------------------------------> > ShengChe Hsiao > -----------------------------------------------------------------------> > front...@gmail.com > front...@tc.edu.tw > -----------------------------------------------------------------------> > VoIP : 070-910-2450 > -----------------------------------------------------------------------> >
