tags:

views:

170

answers:

1
Q: 

GWT interfering with XSS preventative measures.

I'm currently in the process of developing a GWT 1.7.1 application that deals with a significant amount of persistent, user generated data so there is a risk of malicious XSS. One of the steps I am taking to prevent this is using org.apache.commons.lang.StringEscapeUtils.escapeHtml() server-side (Yes I am well aware that this will not prevent all possible XSS attacks as mentioned here and here).

This approach is causing a client-side problem since it appears that GWT is performing it's own client-side escaping (e.g. The server returns the string “Alice & Bob Inc.” and “Alice & Bob Inc.” is being rendered to the DOM which is incorrect). This is definitely happening client-side as the http response from the server contains the correctly encoded data. I have been going through the documentation for GWT and haven't found any reference to this feature. Is anyone aware of a way of disabling this behaviour?

+1  A: 

How are you adding the value the server returns to the page? Could you be adding at as text? If you are sure the String is safe you can add it as HTML (there is usually an option for HTML) or specific Widgets like HTML.

btw Usually best not to return HTML encoded values from the server as you don't know how you may want to use them. I use the rule that you keep the values in their clean format till the last minute (adding to the document etc).

salk31  2009-10-29 15:55:21

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests