Hello Igor, I remain an Ant person for now and not a Maven person, so instead of a quickstart project I attach HTML and Java code for a Wicket test page:
http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.html PageSpecificTest.html http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.java PageSpecificTest.java I commented out the log output in case you use a different log output method to me. This web page accepts input in a TextField and TextArea<String> component, and after form submission it renders this input in both the original components and also as copied to a Label and TextArea component respectively. My results are that Wicket does indeed escape the mark-up in rendered components automatically. However, the strings stored in the components' models are not escaped. To save you running the attached Wicket web page, I set out my post-submission results below. Firstly is some log output from the component models, and then the page source of the four components mentioned above: 26-Nov-2010 13:43:14 [...].PageSpecificTest doSubmit FINE: g_pstdData data member values are: sSingleLineInput = "</body>" sMultiLineInput = "<!--". <input type="text" wicket:id="sSingleLineInput" size="40" tabindex="1" value="&lt;/body&gt;" name="sSingleLineInput"/> <span wicket:id="sSingleLineOutput">&lt;/body&gt; <textarea wicket:id="sMultiLineInput" cols="50" rows="10" tabindex="2" name="sMultiLineInput">&lt;!--</textarea> <textarea wicket:id="sMultiLineOutput" cols="50" rows="10" tabindex="4" name="sMultiLineOutput">&lt;!--</textarea> Is this expected Wicket behaviour? If so, then I shall need to strip scripting from the model strings myself (hopefully using one of the examples kindly supplied already in this topic). If not, then I submit this post for your evaluation. (I raise this topic because I build an address in Java code from several address elements, each one gathered by a TextField component. I then output the resultant address, which currently allows scripting through without having been escaped.) I looking forward to hearing any views, Ian -- View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3060397.html Sent from the Users forum mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
