On Fri, Aug 28, 2009 at 3:02 PM, Koen Deforche<[email protected]> wrote: > Hey Andrii, > > 2009/8/28 Andrii Arsirii <[email protected]>: >> I have a Java applet. And I configure it with XML configuration >> (configuration is made by the user). >> >> std::ostringstream os; >> os << "<applet code='MyApplet.class' name='topology_editor' >> cache_archive='topology_editor.jar' width='100%' height='600'>" >> "<param name='cache_version' value='" << APPLET_REVISION << "' />" >> "<param name='topology' value='" << topology << "' />" >> "<param name='locale' value='" << >> Wt::WApplication::instance()->locale() << "' />" >> "You must have <a >> href=\'http://java.sun.com/javase/downloads/index.jsp\'>Java SE Runtime >> Environment (JRE)</a> 5 or above installed " >> "and enabled in your browser to use this control" >> "</applet>"; >> new Wt::WText(os.str(), Wt::XHTMLUnsafeText, table->currentCell()); >> >> >> Variable 'topology' contains valid XML. >> Everything was perfect until topology had '&'. >> After this when the page is rendered - Wt replaces & with '&' and Java >> XML parser is unable to parse XML. > > That in itself is strange: Wt's built-in XML parser is not supposed to > replace & with & when serializing attribute values. > >> How can I disable this? >> When I try XHTMLText - XSS shows error about <applet> tag - and mode is >> switched to PlainText. >> When I try PlainText - page just shows piece of code, not the applet. > > You can use XHTMLUnsafeText: it will pass on the XML unmodified. You > will need to make sure that a user cannot manipulate the contents of > your 'topology' to include > '</applet><script>hack();hack();</script><applet ...>'.
He is already using XHTMLUnsafeText, see the last line in his code: new Wt::WText(os.str(), Wt::XHTMLUnsafeText, table->currentCell()); Weird. -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer) ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
