That kind of security is a wasp's
nest...
_javascript_ is not the only possible fountain of problems...
SQL-Code-injection is another one...
My take is that JSF's validation might be already too far
within the application's scope to deal with
such attack-oportunities. I would prefer to have it on a
"box" / "appliance" / "sw-firewall" put in front of
the actual webapplication container...
regards
Alexander
From: Dave [mailto:[EMAIL PROTECTED]
Sent: Sunday, February 26, 2006 11:34 PM
To: users@myfaces.apache.org
Subject: what is the worse thing that could happen - escape=false<inputTextarea> allows users to input a description including any HTML tags,then display back to client using <outputText> escape="false".Users can type in _javascript_ and anything else. What is the security hole? client side or server side? Can users break in server side security this way? I believe it is client side only. On server side, just do model update and store it in database.Even for client side, it is a big issue, since the description is viewable by all users.Is there a way to prevent this, but support HTML tags?Is adding a validator checking <script> sufficient?Thanks!
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
