You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by danisevsky <da...@gmail.com> on 2010/06/23 16:45:21 UTC

Security questions

I would like to implement guest book panel and I have two security question.

1) Need I captcha when there will be only ajax submit link? I think that
robots can't submit form thru javascript.

2) New comments will users write in Rich Text Editor (
http://visural-wicket-examples.appspot.com/app/rich-text-editor Reduced
Functionality Example)
so I must setEscapeModelStrings(false) on the label which shows comments. Is
this big security issue?

Re: Security questions

Posted by Igor Vaynberg <ig...@gmail.com>.

On Wed, Jun 23, 2010 at 7:45 AM, danisevsky <da...@gmail.com> wrote:
> I would like to implement guest book panel and I have two security question.
>
> 1) Need I captcha when there will be only ajax submit link? I think that
> robots can't submit form thru javascript.

should be ok

>
> 2) New comments will users write in Rich Text Editor (
> http://visural-wicket-examples.appspot.com/app/rich-text-editor Reduced
> Functionality Example)
> so I must setEscapeModelStrings(false) on the label which shows comments. Is
> this big security issue?

not as long as you properly sanitize the code, if you dont then
someone can submit <script> tags inside their comment and create an
xss attack.

-igor
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org