Hi Folks,
Sorry about this, but I'm going to have to move this hangout by a week, to
Wednesday Feb 5th, same time - 10.45 to 11.30am. We have another internal
(Google) meeting that requires me and other GWT team members to be present.
The meeting will still be recorded and available as usual.
Thanks folks,
This is great stuff. Keep it coming !
I am looking for all potential points of interest in a code review.
Including XSRF and JSON related vulnerabilities.
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
---
You received this message because you are subscribed
Maybe Matthew Dempsky can comment, but I believe there's an error-prone
plugin that handles checking for XSS in GWT and bad use of SafeHtml/setHTML.
On Tue, Jan 28, 2014 at 12:05 PM, Kurt Dmello wrote:
> Thanks Thomas,
> That was helpful. I tried the img tag and it did work.
>
>
> What you're
Thanks Thomas,
That was helpful. I tried the img tag and it did work.
What you're seeing here is browser "sanitization" from innerHTML (not
> sanitization actually, just that the
Another set of dangerous code to look for would be any SafeHtmlUtils or
SafeHtmlBuilder (and their uri/style conterparts) call that should take
'constant' or 'trusted' but instead takes untrusted user data. Custom
implementions of SafeHtml should also be treated as suspect.
These all fall under
Hey folks,
I am a relative noob to GWT and have been looking at it from a security
code review perspective. I want to create a set of guidelines for people
who have to review GWT code from a security perspective looking for
vulnerabilities.
I have read and understood :
http://www.gwtproject.or
On Tuesday, January 28, 2014 5:04:08 PM UTC+1, Kurt Dmello wrote:
>
> Hey folks,
> I am a relative noob to GWT and have been looking at it from a security
> code review perspective. I want to create a set of guidelines for people
> who have to review GWT code from a security perspective lookin
The concern I've heard expressed during in-person discussions about how to
do this is that a written document of answers 'feels' more real and
concrete than a group of people answer questions live, since they clearly
have no chance to vet their answers from their own organization or with
each other
A reddit-style AMA would be really cool; so long as we give enough warning
and promo,
(like posting the event in the G+ community a month ahead of time) I'm sure
it would be a hit.
The questions in the moderator would probably all get asked;
though seeing some of them come up in the gwt-team mee