Hi Arthur,
While I can't address all of your concerns, I can address a couple.
> 1. ESCAPING CHARACTERS: I have read in wicket's mailing list that all
> wicket
> components escape values. I have done some tests in "wicket-examples"
> application distributed in wicket-1.3.1 release and I have modified, in
> FormInput.properties file, value of key "string" with this value
> "<script>alert("xss");</script>" and I see that this script is executed
> when
> I load the page with this message key. So, i don't know if all components
> escape or not values!
I'm not familiar with that example, but from my experience, Wicket
components escape HTML unless specifically told otherwise.
>
>
> 2. INTEGRITY: Actualy in my bank application we have hidden fileds in our
> forms to store critical values and I want to know if wicket by default
> guarantees data integrity or not. I want to guarantee integrity like HDIV
> does in Struts and Spring MVC apps... is it possible in wicket?
Hidden fields are not required with Wicket applications since the data that
was formerly stored in hidden fields in other frameworks is maintained in
Wicket's model classes. I had a hard time understanding this at first as
well, but the essential element is you don't need hidden fields in Wicket
applications.
>
>
> I have read in wicket's documentation that it is possible to encrypt urls
> ensuring integrity (
> http://cwiki.apache.org/WICKET/url-coding-strategies.html) but is it
> possible to apply this strategy to forms? Or data tampering attacks are
> possible in wicket forms with hidden fields?
>
> So, can Wicket ensure data integrity?
>
> 3. CONFIDENTIALITY: After read HDIV's reference document I have see that
> in
> our application data base identifiers are presented in html pages as combo
> values ids and now we want to hide these values. I thought about
> implementing a common renderer for all my wicket components to be
> responsible for returning a value relative to the original values, but I
> do
> not like it because it is probably that my programmers don't use it in all
> cases and it is a risk that I don't want to run. Is there any wicket
> functionality to return confidential data, by default, for form's values?
> I
> do not want to rely on developers...
This goes alone with my earlier response. Unless you explicitly present
them to the user, there is no need to expose internal identifiers.
>
>
> 4. RANDOM TOKENS: I want to avoid CSRF attacks and I have read (
> http://www.owasp.org/index.php/Top_10_2007-A5) that a possible solution is
> to add random tokens to all requests. Is it possible to add a random
> parameter to requests automatically in wicket?
Perhaps someone else can chime in here, but I don't think this is a problem
with Wicket applications.
>
>
> I need your help to answer this questions, pls!
>
> thanks!
>
> [1]
>
> http://www.nabble.com/Shout-more-about-security-advantages-of-Wicket--to14800934.html#a14816425
> [2] http://www.hdiv.org/docs/hdiv-reference.pdf
>
--
Nick Heudecker
Professional Wicket Training & Consulting
http://www.systemmobile.com
Eventful - Intelligent Event Management
http://www.eventfulhq.com
