A reddit-style AMA would be really cool; so long as we give enough warning
and promo,
(like posting the event in the G+ community a month ahead of time) I'm sure
it would be a hit.
The questions in the moderator would probably all get asked;
though seeing some of them come up in the gwt-team
The concern I've heard expressed during in-person discussions about how to
do this is that a written document of answers 'feels' more real and
concrete than a group of people answer questions live, since they clearly
have no chance to vet their answers from their own organization or with
each
On Tuesday, January 28, 2014 5:04:08 PM UTC+1, Kurt Dmello wrote:
Hey folks,
I am a relative noob to GWT and have been looking at it from a security
code review perspective. I want to create a set of guidelines for people
who have to review GWT code from a security perspective looking
Hey folks,
I am a relative noob to GWT and have been looking at it from a security
code review perspective. I want to create a set of guidelines for people
who have to review GWT code from a security perspective looking for
vulnerabilities.
I have read and understood :
Another set of dangerous code to look for would be any SafeHtmlUtils or
SafeHtmlBuilder (and their uri/style conterparts) call that should take
'constant' or 'trusted' but instead takes untrusted user data. Custom
implementions of SafeHtml should also be treated as suspect.
These all fall
Thanks Thomas,
That was helpful. I tried the img tag and it did work.
What you're seeing here is browser sanitization from innerHTML (not
sanitization actually, just that the script are not run). Try with img
onerror=alert(1) src=// or similar (onclick, etc.)
What should someone
Maybe Matthew Dempsky can comment, but I believe there's an error-prone
plugin that handles checking for XSS in GWT and bad use of SafeHtml/setHTML.
On Tue, Jan 28, 2014 at 12:05 PM, Kurt Dmello kdme...@gmail.com wrote:
Thanks Thomas,
That was helpful. I tried the img tag and it did work.
Thanks folks,
This is great stuff. Keep it coming !
I am looking for all potential points of interest in a code review.
Including XSRF and JSON related vulnerabilities.
--
http://groups.google.com/group/Google-Web-Toolkit-Contributors
---
You received this message because you are subscribed
Hi Folks,
Sorry about this, but I'm going to have to move this hangout by a week, to
Wednesday Feb 5th, same time - 10.45 to 11.30am. We have another internal
(Google) meeting that requires me and other GWT team members to be present.
The meeting will still be recorded and available as usual.