setHTML example , unsafe ?

[Jose María Zaragoza]

Hi:

I'm reading about XSS attacks and GWT unsafe code.

I've got a method ( client side)

public void print(String message)

{

   widget.setHTML(message)

}

And this method is invoked by others methods (client side) on this way:

this.print("<br>This is an error</br>");

this.print("<br>This is another error</br>");

....

Where is the unsafe code ? How is it possible to inject malicious code ?

Thanks and regards

[Matthew Dempsky]

On Tue, Oct 30, 2012 at 9:53 AM, Jose María Zaragoza <demab...@gmail.com> wrote:

public void print(String message)

{

   widget.setHTML(message)

}

this.print("<br>This is an error</br>");

this.print("<br>This is another error</br>");

This code is fine.  The risk comes from if you have something like

    this.print(user.getName());

and a user sets their name to "<script>alert(1)</script>".  But if you look at either the print() function implementation or any of the callers in isolation, it's not clear that there's an issue.  It's only if you look at the whole application at once that you can realize there's an issue.

This is also the motivation for GWT's SafeHtml libraries.  When used correctly, it makes it easier to security review GWT code without needing to double check whether any given function treats its string arguments as plain text or HTML.

[Thomas Broyer]

Not sure <script>alert(1)</script> would be "at risk" here, as browsers generally (I said generally, I'm sure there are exceptions, IE maybe?) don't execute <script>s on assigning innerHTML; but there are things like onclick="alert(1)", <img src="http://vilain">, <img src="neverland" onerror="alert(1)">, <iframe style="position:absolute;top:0;left:0;bottom:0;right:0;" src="http://vilain"></iframe>, etc.

SafeHtml and SafeStyles solve the "primitive obsession" anti-pattern: http://c2.com/cgi/wiki?NoStrings