Revision: 8293
Author: jlaba...@google.com
Date: Tue Jun 22 05:23:16 2010
Log: Escaping HTML strings from the client as a good practice to avoid XSS
vulnerabilities in apps the build off of the default app.
Review at http://gwt-code-reviews.appspot.com/619803
Review by: mmen...@google.com
http://code.google.com/p/google-web-toolkit/source/detail?r=8293
Modified:
/trunk/user/src/com/google/gwt/user/tools/RpcServerTemplate.javasrc
=======================================
--- /trunk/user/src/com/google/gwt/user/tools/RpcServerTemplate.javasrc Wed
Jan 6 12:18:02 2010
+++ /trunk/user/src/com/google/gwt/user/tools/RpcServerTemplate.javasrc Tue
Jun 22 05:23:16 2010
@@ -22,7 +22,27 @@
String serverInfo = getServletContext().getServerInfo();
String userAgent = getThreadLocalRequest().getHeader("User-Agent");
+
+ // Escape data from the client to avoid cross-site script
vulnerabilities.
+ input = escapeHtml(input);
+ userAgent = escapeHtml(userAgent);
+
return "Hello, " + input + "!<br><br>I am running " + serverInfo
+ ".<br><br>It looks like you are using:<br>" + userAgent;
}
-}
+
+ /**
+ * Escape an html string. Escaping data received from the client helps to
+ * prevent cross-site script vulnerabilities.
+ *
+ * @param html the html string to escape
+ * @return the escaped string
+ */
+ private String escapeHtml(String html) {
+ if (html == null) {
+ return null;
+ }
+ return
html.replaceAll("&", "&").replaceAll("<", "<").replaceAll(
+ ">", ">");
+ }
+}
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
