views:

296

answers:

2

I have J2EE project which uses wicket framework. I want to know how can I prevent from javascript injection in wicket?

+2  A: 

Although I didn't think the way in which you formulated your question deserved it (no details, no background, no example problem statement, implied susceptability to injection, etc), I dug up some details from the Excellent Wicket in Action:

Wicket is secure by default

You never need to worry about pimple-faced 14-year-olds trying to hack your web application. To do so, they would have to hijack the session and then guess the right page identifiers and version numbers, which would be relative to the session and the relevant component paths. You’d have to be a persistent hacker to pull that off. You can make your Wicket application even more secure from the default by encrypting requests with, for instance, CryptedUrlWebRequestCodingStrategy.

Tim
A: 

All Wicket components escape strings by default (by Labels, TextFields, etc.), which avoids most common issues related to javascript injection.

You should take appropriate care, though, if you disable this behavior (component.setEscapeModelStrings(false)) for some reason, or create custom-rendered components (if you write the markup directly to the output).

tetsuo