We integrated the OWASP ESAPI java code. It is pretty robust encoding library. There are a ton of variants that people use to hack HTML. OWASP does a pretty good job of keeping them honest
Dov From: Mai Nguyen <brightmornin...@gmail.com<mailto:brightmornin...@gmail.com>> Date: Mon, 11 Jul 2011 18:59:37 -0700 To: Mike Schrag <msch...@pobox.com<mailto:msch...@pobox.com>> Cc: WebObjects Development <webobjects-dev@lists.apple.com<mailto:webobjects-dev@lists.apple.com>> Subject: Re: WebObjects vulnerabilities? Would it be sufficient to make sure that input strings (WOStrings) have escapeHTML = true? or is it better to just strip HTML ourselves? The wiki says: If you are certain that your strings have no characters in them which might be interpreted as HTML control characters, you get better performance if you set escapeHTML to false. Is there any noticeable performance penalty if one sets escapeHTML to true? thanks, mai On Jul 11, 2011, at 6:43 PM, Mike Schrag wrote: You have to be mindful of ever rendering any tainted strings ... Any string that came from user input should be considered a risk for cross site scripting, so that's any field editable by a user, or any query parameter, etc. If you append those strings to response or <WOString> render them, make sure to escape HTML or strip HTML. ms On Jul 11, 2011, at 9:41 PM, Mai Nguyen wrote: Do you mean the issue of malicious HTML tags? I wonder what would be the best way to prevent those? thanks, mai On Jul 11, 2011, at 6:36 PM, George Domurot wrote: If you output strings with escapeHTML=false, you could have an issue. You may want to consider stripping all potential tags from strings prior to rendering, or at the time of entry. -G On Jul 11, 2011, at 6:01 PM, Mai Nguyen wrote: Hello, I have found some good information about WebObjects and security at the following wiki link: http://en.wikibooks.org/wiki/WebObjects/Web_Applications/Development/Authentication_and_Security However, there is no mention about SQL injections which seems to be an active subject lately. Is WebObjects pretty safe, as there is no need to generate SQL directly and access to the DB is going through the EOs normally? Are there any other loopholes that I am not aware of? About the following article: http://support.apple.com/kb/TA26730?viewlocale=en_US Would the normal WebObjects behavior be pretty safe if one does not allow the user to enter HTML tags? Does Project Wonder do something in this area? Many thanks for your advice, -mai _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com<mailto:Webobjects-dev@lists.apple.com>) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/george%40boxofficetickets.com This email sent to geo...@boxofficetickets.com<mailto:geo...@boxofficetickets.com> _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com<mailto:Webobjects-dev@lists.apple.com>) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/mschrag%40pobox.com This email sent to msch...@pobox.com<mailto:msch...@pobox.com> _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
