GWT HTML widget security risks

Question

In GWT javadoc, we are advised

If you only need a simple label (text, but not HTML), then the Label widget is more appropriate, as it disallows the use of HTML, which can lead to potential security issues if not used properly.

I would like to be educated/reminded about the security susceptibilities. It would be nice to list the description of the mechanisms of those risks.

Are the susceptibilities equally potent on GAE vs Amazon vs my home linux server?
Are they equally potent across the browser brands?

Thank you.

Answer 1

The security risk of using the HTML widget is that it doesn't escape html characters like the Label widget does. This opens up the possibility of Cross-site scripting (XSS). Therefore you should not use it to display data supplied from users. There's risk in itself to use it for string literals in your code.

How your GWT project is deployed doesn't matter much for the security risk, as the risk is there anyway if you allow user supplied data being printed back unescaped. But how your site is used, e.g. how much content is user contributed, and how popular your page is have a huge effect of how likely it is that someone actually will exploit a weakness.

Though ... if you have a habit of typing malicious javascript in your own sourcecode using Labels won't help anyway... :P