Hi Martin,

This is how I've done it.

label = new Label("message", getString("main.message", new Model<WebUser>(authSession.getUser())));
        label.setOutputMarkupId(true);


And in the MainTmsPage.properties I have:

main.message=Hello <b>${realName}</b>.<br> Welcome to the Technoactivity Payment Solutions main page.


And it worked!


El 30/01/14 10:03, Martin Grigorov escribió:
Hi,

On Wed, Jan 29, 2014 at 6:26 PM, Gonzalo Aguilar Delgado <
gagui...@aguilardelgado.com> wrote:

Hi there,

I'm building an application for a client and my security advisor told me
about a XSS attack that can be performed on the site.

When user logs-in I welcome they by Saying "Hello user".

<div class="thumbnail">
                     <p wicket:id="message">
                         Hello ${realName}.

How do you substitute the value of ${realName} ?
Wicket doesn't support such placeholders.

The Wicket syntax would be: Hello <span wicket:id="realName"></span>.
Together with: page.add(new Label("realName", "Some Name");


                         Welcome to the Synapse web.
                     </p>
                 </div>


As you can see I use I18N so this is not the real text that will show up,
but's similar.

I used to think that wicket validated output before building web but the
white hat hacked it by just putting a fake name into the database. Too easy
for me...

The content of realName is:

'';!--"<SCRIPT>alert('XSS')</SCRIPT>=&{()}


So I ended with:

Hello<b>'';!--"<script>alert('XSS')</script>=&amp;{()}

In the web page. And the script executed on login.

I was thinking about baking a method into my DAO classes to validate
everything that goes to the database. But it should be a better solution.

Can you point me to right one?



Best regards,





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to