myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakob Korherr <jakob.korh...@gmail.com>
Subject Re: [Trinidad] XSS attack prevention?
Date Wed, 14 Jul 2010 09:01:46 GMT
Hi Simon,

Sorry I don't know if there is anything on Trinidad that does that for you
automatically, but you can check out the OWASP cheat sheet for XSS at [1].
Maybe this will help!

Regards,
Jakob

[1]
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

2010/7/14 Simon Kulessa <kulessa@flexsecure.de>

> Hello,
>
> I have written my own component to display messages inside a jsf page.
> The component is based on the tr:messages Element.
> My implementation of the renderer uses the following code to write the
> message into the page.
>
>                //ResponseWriter writer
>                for(FacesMessage msg : messages) {
>
>                        writer.startElement("li", null);
>
>                        String summary = msg.getSummary();
>                        // add something to prevent xss attacks here
>                        writer.write(summary);
>
>                        writer.endElement("li");
>                }
>
> The bad thing is that msg.getSummary() can contain JavaScript code - which
> will be executed if the page is rendered. I need to add some
> kind of prevention against this behaviour.
>
> I assume that Trinidad offers some mechanisms to prevent
> these kind of attacks. Can someone give me some hints?
>
>
> Best regards,
> Simon Kulessa.
> --
>
> Diplom Informatiker Simon Kulessa
>
> FlexSecure GmbH
> Industriestr. 12
> D - 64297 Darmstadt
> Tel: +49 (0) 6151 501 23-15
> Fax: +49 (0) 6151 501 23-19
> E-Mail:kulessa@flexsecure.de <E-Mail%3Akulessa@flexsecure.de>
> Internet:www.flexsecure.de
>
> Geschäftsführer:
> Erwin Stallenberger, Markus Ruppert
>
> Amtsgericht Darmstadt HRB 8036
> Umsatzsteuernummer: DE 214745269
>
>


-- 
Jakob Korherr

blog: http://www.jakobk.com
twitter: http://twitter.com/jakobkorherr
work: http://www.irian.at

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message