myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Kulessa <kule...@flexsecure.de>
Subject [Trinidad] XSS attack prevention?
Date Wed, 14 Jul 2010 08:14:18 GMT
Hello,

I have received word that there is some trouble with my signature,
so I send the mail again, this time without it.

Best regards,
Simon Kulessa.

---
Hello,

I have written my own component to display messages inside a jsf page.
The component is based on the tr:messages Element.
My implementation of the renderer uses the following code to write the
message into the page.

//ResponseWriter writer
for(FacesMessage msg : messages) {

   writer.startElement("li", null);

   String summary = msg.getSummary();
   // add something to prevent xss attacks here
   writer.write(summary);

   writer.endElement("li");
}

The bad thing is that msg.getSummary() can contain JavaScript code -
which will be executed if the page is rendered. I need to add some
kind of prevention against this behaviour.

I assume that Trinidad offers some mechanisms to prevent
these kind of attacks. Can someone give me some hints?

Best regards,
Simon Kulessa.

-- 

Diplom Informatiker Simon Kulessa

FlexSecure GmbH
Industriestr. 12
D - 64297 Darmstadt
Tel: +49 (0) 6151 501 23-15
Fax: +49 (0) 6151 501 23-19
E-Mail:kulessa@flexsecure.de
Internet:www.flexsecure.de

Geschäftsführer:
Erwin Stallenberger, Markus Ruppert

Amtsgericht Darmstadt HRB 8036
Umsatzsteuernummer: DE 214745269

Mime
View raw message