Cross-site scripting"

From Documentation
m
Line 15: Line 15:
 
= The content Property of html and comboitem =
 
= The content Property of html and comboitem =
  
The content property of the html and combitem components are designed to allow application to generate HTML content directly. In other words, it is not encoded. Thus, it is better to carry the value input by an user, unless it is encoded property. For example, if the value of <code>any_content</code> is, in the following example, generated directly and vulnerable to XSS attack if it is the value provided by an user and without proper encoding.
+
The content property of the html and combitem components (<javadoc method="setContent(java.lang.String)">org.zkoss.zul.Html</javadoc> and <javadoc method="setContent(java.lang.String)">org.zkoss.zul.Comboitem</javadoc>) are designed to allow application to generate HTML content directly. In other words, it is not encoded. Thus, it is better to carry the value input by an user, unless it is encoded property. For example, if the value of <code>any_content</code> is, in the following example, generated directly and vulnerable to XSS attack if it is the value provided by an user and without proper encoding.
  
 
<source lang="xml">
 
<source lang="xml">
Line 22: Line 22:
  
 
* Java API: <javadoc method="setContent(java.lang.String)">org.zkoss.zul.Html</javadoc> and <javadoc method="setContent(java.lang.String)">org.zkoss.zul.Comboitem</javadoc>
 
* Java API: <javadoc method="setContent(java.lang.String)">org.zkoss.zul.Html</javadoc> and <javadoc method="setContent(java.lang.String)">org.zkoss.zul.Comboitem</javadoc>
 +
 +
= Client-side Actions =
 +
 +
The [[ZK Developer's Reference/UI Patterns/Actions and Effects|client-side action]] is not encoded and the options is interpreted as a JSON object. Thus, you could encode it by yourself, if you allow the end user to specify it (which is generally not suggested at all).
  
 
=Version History=
 
=Version History=

Revision as of 06:11, 27 December 2010


Cross-site scripting


Overview

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection.

To prevent from XSS attack, ZK component encodes any value that might be input by an user, such as the value of label and textbox, by escaping & and other unsafe characters. For example, the following statement is totally safe no matter what the value of any_value might be:

<textbox value="${any_value}"/>

However, there are still some notes worth to pay attention to.

The content Property of html and comboitem

The content property of the html and combitem components (Html.setContent(String) and Comboitem.setContent(String)) are designed to allow application to generate HTML content directly. In other words, it is not encoded. Thus, it is better to carry the value input by an user, unless it is encoded property. For example, if the value of any_content is, in the following example, generated directly and vulnerable to XSS attack if it is the value provided by an user and without proper encoding.

<html>${any_content}</html>

Client-side Actions

The client-side action is not encoded and the options is interpreted as a JSON object. Thus, you could encode it by yourself, if you allow the end user to specify it (which is generally not suggested at all).

Version History

Last Update : 2010/12/27


Version Date Content
     



Last Update : 2010/12/27

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.