You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Simon Kulessa <ku...@flexsecure.de> on 2010/07/14 09:19:48 UTC
[Trinidad] XSS attack prevention?
Hello,
I have written my own component to display messages inside a jsf page.
The component is based on the tr:messages Element.
My implementation of the renderer uses the following code to write the
message into the page.
//ResponseWriter writer
for(FacesMessage msg : messages) {
writer.startElement("li", null);
String summary = msg.getSummary();
// add something to prevent xss attacks here
writer.write(summary);
writer.endElement("li");
}
The bad thing is that msg.getSummary() can contain JavaScript code -
which will be executed if the page is rendered. I need to add some
kind of prevention against this behaviour.
I assume that Trinidad offers some mechanisms to prevent
these kind of attacks. Can someone give me some hints?
Best regards,
Simon Kulessa.
--
Diplom Informatiker Simon Kulessa
FlexSecure GmbH
Industriestr. 12
D - 64297 Darmstadt
Tel: +49 (0) 6151 501 23-15
Fax: +49 (0) 6151 501 23-19
E-Mail:kulessa@flexsecure.de
Internet:www.flexsecure.de
Geschäftsführer:
Erwin Stallenberger, Markus Ruppert
Amtsgericht Darmstadt HRB 8036
Umsatzsteuernummer: DE 214745269
Re: [Trinidad] XSS attack prevention?
Posted by Jakob Korherr <ja...@gmail.com>.
Hi Simon,
Sorry I don't know if there is anything on Trinidad that does that for you
automatically, but you can check out the OWASP cheat sheet for XSS at [1].
Maybe this will help!
Regards,
Jakob
[1]
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
2010/7/14 Simon Kulessa <ku...@flexsecure.de>
> Hello,
>
> I have written my own component to display messages inside a jsf page.
> The component is based on the tr:messages Element.
> My implementation of the renderer uses the following code to write the
> message into the page.
>
> //ResponseWriter writer
> for(FacesMessage msg : messages) {
>
> writer.startElement("li", null);
>
> String summary = msg.getSummary();
> // add something to prevent xss attacks here
> writer.write(summary);
>
> writer.endElement("li");
> }
>
> The bad thing is that msg.getSummary() can contain JavaScript code - which
> will be executed if the page is rendered. I need to add some
> kind of prevention against this behaviour.
>
> I assume that Trinidad offers some mechanisms to prevent
> these kind of attacks. Can someone give me some hints?
>
>
> Best regards,
> Simon Kulessa.
> --
>
> Diplom Informatiker Simon Kulessa
>
> FlexSecure GmbH
> Industriestr. 12
> D - 64297 Darmstadt
> Tel: +49 (0) 6151 501 23-15
> Fax: +49 (0) 6151 501 23-19
> E-Mail:kulessa@flexsecure.de <E-...@flexsecure.de>
> Internet:www.flexsecure.de
>
> Geschäftsführer:
> Erwin Stallenberger, Markus Ruppert
>
> Amtsgericht Darmstadt HRB 8036
> Umsatzsteuernummer: DE 214745269
>
>
--
Jakob Korherr
blog: http://www.jakobk.com
twitter: http://twitter.com/jakobkorherr
work: http://www.irian.at
Re: [Trinidad] XSS attack prevention?
Posted by Jan-Kees van Andel <ja...@gmail.com>.
Hey,
Preventing XSS can be very easy or very difficult, depending on your
situation.
Simply put, if you have set up all encodings and MIME types properly, AND
you only use your custom component in the context of HTML, simply HTML
encoding should be enough. With "in the context of HTML", I mean, you don't
put the component inside <script></script> or <style></style> tags. But
also, you don't put it inside HTML attributes such as "style" and "onclick",
because they trigger a context switch in the browser.
If you do intend to use the component in places like between script or style
tags, you should not HTML encode, but use the encodings that apply for CSS
or JavaScript, which is not only impossible to write in a generic manner,
but also extremely difficult to get secure. For example, take a look at this
snippet (JSP or Facelets):
<input type="text" onclick="alert(${someBean.property})" />
How do you think this expression should be escaped?
Having said this, if you only use your component in "sensible" places, HTML
encoding is the way to go and, like Max mentioned, ResponseWriter.writeText
does this. You might want to take a look at the MyFaces implementation:
http://svn.apache.org/repos/asf/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/renderkit/html/HtmlResponseWriterImpl.java
Regards,
Jan-Kees
2010/7/14 Max Starets <ma...@oracle.com>
> Simon,
>
> If you use ResponseWriter.witeText(), any <script> elements would be
> definitely escaped.
>
> Max
>
>
> Simon Kulessa wrote:
>
>> Hello,
>>
>> I have received word that there is some trouble with my signature,
>> so I send the mail again, this time without it.
>>
>> Best regards,
>> Simon Kulessa.
>>
>> ---
>> Hello,
>>
>> I have written my own component to display messages inside a jsf page.
>> The component is based on the tr:messages Element.
>> My implementation of the renderer uses the following code to write the
>> message into the page.
>>
>> //ResponseWriter writer
>> for(FacesMessage msg : messages) {
>>
>> writer.startElement("li", null);
>>
>> String summary = msg.getSummary();
>> // add something to prevent xss attacks here
>> writer.write(summary);
>>
>> writer.endElement("li");
>> }
>>
>> The bad thing is that msg.getSummary() can contain JavaScript code -
>> which will be executed if the page is rendered. I need to add some
>> kind of prevention against this behaviour.
>>
>> I assume that Trinidad offers some mechanisms to prevent
>> these kind of attacks. Can someone give me some hints?
>>
>> Best regards,
>> Simon Kulessa.
>>
>>
>
Re: [Trinidad] XSS attack prevention?
Posted by Max Starets <ma...@oracle.com>.
Simon,
If you use ResponseWriter.witeText(), any <script> elements would be
definitely escaped.
Max
Simon Kulessa wrote:
> Hello,
>
> I have received word that there is some trouble with my signature,
> so I send the mail again, this time without it.
>
> Best regards,
> Simon Kulessa.
>
> ---
> Hello,
>
> I have written my own component to display messages inside a jsf page.
> The component is based on the tr:messages Element.
> My implementation of the renderer uses the following code to write the
> message into the page.
>
> //ResponseWriter writer
> for(FacesMessage msg : messages) {
>
> writer.startElement("li", null);
>
> String summary = msg.getSummary();
> // add something to prevent xss attacks here
> writer.write(summary);
>
> writer.endElement("li");
> }
>
> The bad thing is that msg.getSummary() can contain JavaScript code -
> which will be executed if the page is rendered. I need to add some
> kind of prevention against this behaviour.
>
> I assume that Trinidad offers some mechanisms to prevent
> these kind of attacks. Can someone give me some hints?
>
> Best regards,
> Simon Kulessa.
>
[Trinidad] XSS attack prevention?
Posted by Simon Kulessa <ku...@flexsecure.de>.
Hello,
I have received word that there is some trouble with my signature,
so I send the mail again, this time without it.
Best regards,
Simon Kulessa.
---
Hello,
I have written my own component to display messages inside a jsf page.
The component is based on the tr:messages Element.
My implementation of the renderer uses the following code to write the
message into the page.
//ResponseWriter writer
for(FacesMessage msg : messages) {
writer.startElement("li", null);
String summary = msg.getSummary();
// add something to prevent xss attacks here
writer.write(summary);
writer.endElement("li");
}
The bad thing is that msg.getSummary() can contain JavaScript code -
which will be executed if the page is rendered. I need to add some
kind of prevention against this behaviour.
I assume that Trinidad offers some mechanisms to prevent
these kind of attacks. Can someone give me some hints?
Best regards,
Simon Kulessa.
--
Diplom Informatiker Simon Kulessa
FlexSecure GmbH
Industriestr. 12
D - 64297 Darmstadt
Tel: +49 (0) 6151 501 23-15
Fax: +49 (0) 6151 501 23-19
E-Mail:kulessa@flexsecure.de
Internet:www.flexsecure.de
Geschäftsführer:
Erwin Stallenberger, Markus Ruppert
Amtsgericht Darmstadt HRB 8036
Umsatzsteuernummer: DE 214745269
[Trinidad] XSS attack prevention?
Posted by Simon Kulessa <ku...@flexsecure.de>.
Hello,
I have received word that there is some trouble with my signature,
so I send the mail again, this time without it.
Best regards,
Simon Kulessa.
---
Hello,
I have written my own component to display messages inside a jsf page.
The component is based on the tr:messages Element.
My implementation of the renderer uses the following code to write the
message into the page.
//ResponseWriter writer
for(FacesMessage msg : messages) {
writer.startElement("li", null);
String summary = msg.getSummary();
// add something to prevent xss attacks here
writer.write(summary);
writer.endElement("li");
}
The bad thing is that msg.getSummary() can contain JavaScript code -
which will be executed if the page is rendered. I need to add some
kind of prevention against this behaviour.
I assume that Trinidad offers some mechanisms to prevent
these kind of attacks. Can someone give me some hints?
Best regards,
Simon Kulessa.
--
Diplom Informatiker Simon Kulessa
FlexSecure GmbH
Industriestr. 12
D - 64297 Darmstadt
Tel: +49 (0) 6151 501 23-15
Fax: +49 (0) 6151 501 23-19
E-Mail:kulessa@flexsecure.de
Internet:www.flexsecure.de
Geschäftsführer:
Erwin Stallenberger, Markus Ruppert
Amtsgericht Darmstadt HRB 8036
Umsatzsteuernummer: DE 214745269