Cross-site scripting"

From Documentation
Line 19: Line 19:
 
== The <code>content</code> Attribute of Html and Comboitem ==
 
== The <code>content</code> Attribute of Html and Comboitem ==
  
The content property of the html and combitem components (<javadoc method="setContent(java.lang.String)">org.zkoss.zul.Html</javadoc> and <javadoc method="setContent(java.lang.String)">org.zkoss.zul.Comboitem</javadoc>) are designed to allow applications to generate HTML content directly. In other words, it is not encoded. Thus, it is better not to carry the user input, unless it is encoded properly. For example, if the value of <code>any_content</code> is, in the following example, generated directly and vulnerable to XSS attack if it is the value provided by an user and without proper encoding.
+
The content property of the html and combitem components (<javadoc method="setContent(java.lang.String)">org.zkoss.zul.Html</javadoc> and <javadoc method="setContent(java.lang.String)">org.zkoss.zul.Comboitem</javadoc>) is designed to allow applications to generate HTML content directly. In other words, it is not encoded. In most cases we expect these values to come from the server-side. However, if your application takes user input as the content property, you will need to encode it properly. For example, if the value of <code>any_content</code>, in the following example, is generated directly without proper encoding, it may be vulnerable to XSS attacks.
 +
 
  
 
<source lang="xml">
 
<source lang="xml">

Revision as of 07:43, 23 May 2022


Cross-site scripting


Overview

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding may lead to markup injection.

What ZK Encodes

All Input Components Block XSS

To prevent a XSS attack, ZK components encode any value that might be input by a user by escaping & and other unsafe characters. For example, the following statement is totally safe even any_value contains a script like <script>alert('xss')</script>:

<textbox value="${any_value}"/>

Attributes to Generate Texts

Label component's value and those attributes that generate texts into a page including label, title, tooltiptext, placeholder, name, type, and message like createMessage, emptyMessage. (ZK encodes them with zUtl.encodeXML() at client-side.)

What ZK Doesn't Encode

The content Attribute of Html and Comboitem

The content property of the html and combitem components (Html.setContent(String) and Comboitem.setContent(String)) is designed to allow applications to generate HTML content directly. In other words, it is not encoded. In most cases we expect these values to come from the server-side. However, if your application takes user input as the content property, you will need to encode it properly. For example, if the value of any_content, in the following example, is generated directly without proper encoding, it may be vulnerable to XSS attacks.


<html>${any_content}</html>

Some methods of Clients

As the name says this utility allows more direct client-side access. Thus the methods don't encode the strings passed into them to allow formatting of the messages at client-side, e.g.:

Clients.showNotification("Successfully processed: <br/>" + myTextbox.getValue());

When displaying user input using methods such as Clients.showBusy(String) or Clients.showNotification(String) ... and especially when dynamically concatenated JS code is executed using Clients.evalJavaScript(String) user input should be escaped carefully.

Client-side Actions

The client-side action is not encoded and the options are interpreted as a JSON object. Thus, you could encode it by yourself, if you allow the end-user to specify it (which is generally not suggested at all).

Page Directive

All attributes of <?page?> are not encoded.

Sanitize User Input

Regarding those attributes that ZK doesn't escape HTML characters, we assume application developers should do it according to their needs. You can use ZK XMLs.escapeXML(String) or Apache Commons Lang's StringEscapeUtils to sanitize user input.

Version History

Last Update : 2022/05/23


Version Date Content
     



Last Update : 2022/05/23

Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.