myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Kulessa <>
Subject [Trinidad] XSS attack prevention?
Date Wed, 14 Jul 2010 08:14:18 GMT

I have received word that there is some trouble with my signature,
so I send the mail again, this time without it.

Best regards,
Simon Kulessa.


I have written my own component to display messages inside a jsf page.
The component is based on the tr:messages Element.
My implementation of the renderer uses the following code to write the
message into the page.

//ResponseWriter writer
for(FacesMessage msg : messages) {

   writer.startElement("li", null);

   String summary = msg.getSummary();
   // add something to prevent xss attacks here


The bad thing is that msg.getSummary() can contain JavaScript code -
which will be executed if the page is rendered. I need to add some
kind of prevention against this behaviour.

I assume that Trinidad offers some mechanisms to prevent
these kind of attacks. Can someone give me some hints?

Best regards,
Simon Kulessa.


Diplom Informatiker Simon Kulessa

FlexSecure GmbH
Industriestr. 12
D - 64297 Darmstadt
Tel: +49 (0) 6151 501 23-15
Fax: +49 (0) 6151 501 23-19

Erwin Stallenberger, Markus Ruppert

Amtsgericht Darmstadt HRB 8036
Umsatzsteuernummer: DE 214745269

View raw message