myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan-Kees van Andel <jankeesvanan...@gmail.com>
Subject Re: [Trinidad] XSS attack prevention?
Date Wed, 14 Jul 2010 16:29:57 GMT
Hey,

Preventing XSS can be very easy or very difficult, depending on your
situation.

Simply put, if you have set up all encodings and MIME types properly, AND
you only use your custom component in the context of HTML, simply HTML
encoding should be enough. With "in the context of HTML", I mean, you don't
put the component inside <script></script> or <style></style> tags.
But
also, you don't put it inside HTML attributes such as "style" and "onclick",
because they trigger a context switch in the browser.

If you do intend to use the component in places like between script or style
tags, you should not HTML encode, but use the encodings that apply for CSS
or JavaScript, which is not only impossible to write in a generic manner,
but also extremely difficult to get secure. For example, take a look at this
snippet (JSP or Facelets):
<input type="text" onclick="alert(${someBean.property})" />

How do you think this expression should be escaped?

Having said this, if you only use your component in "sensible" places, HTML
encoding is the way to go and, like Max mentioned, ResponseWriter.writeText
does this. You might want to take a look at the MyFaces implementation:
http://svn.apache.org/repos/asf/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/renderkit/html/HtmlResponseWriterImpl.java

Regards,
Jan-Kees



2010/7/14 Max Starets <max.starets@oracle.com>

> Simon,
>
> If you use ResponseWriter.witeText(), any <script> elements would be
> definitely escaped.
>
> Max
>
>
> Simon Kulessa wrote:
>
>> Hello,
>>
>> I have received word that there is some trouble with my signature,
>> so I send the mail again, this time without it.
>>
>> Best regards,
>> Simon Kulessa.
>>
>> ---
>> Hello,
>>
>> I have written my own component to display messages inside a jsf page.
>> The component is based on the tr:messages Element.
>> My implementation of the renderer uses the following code to write the
>> message into the page.
>>
>> //ResponseWriter writer
>> for(FacesMessage msg : messages) {
>>
>>  writer.startElement("li", null);
>>
>>  String summary = msg.getSummary();
>>  // add something to prevent xss attacks here
>>  writer.write(summary);
>>
>>  writer.endElement("li");
>> }
>>
>> The bad thing is that msg.getSummary() can contain JavaScript code -
>> which will be executed if the page is rendered. I need to add some
>> kind of prevention against this behaviour.
>>
>> I assume that Trinidad offers some mechanisms to prevent
>> these kind of attacks. Can someone give me some hints?
>>
>> Best regards,
>> Simon Kulessa.
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message