mirrors
/
vaadin-framework
mirror of https://github.com/vaadin/framework.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 329 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19188 Commits
114 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
vaadin-framework/documentation/advanced/advanced-security.asciidoc

advanced-security.asciidoc 2.5KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 
  1. ---

  2. title: Common Security Issues

  3. order: 8

  4. layout: page

  5. ---

  6. 

  7. [[advanced.security]]

  8. = Common Security Issues

  9. 

  10. [[advanced.security.sanitizing]]

  11. == Sanitizing User Input to Prevent Cross-Site Scripting

  12. 

  13. You can put raw HTML content in many components, such as the [classname]#Label#

  14. and [classname]#CustomLayout#, as well as in tooltips and notifications. In such

  15. cases, you should make sure that if the content has any possibility to come from

  16. user input, you must make sure that the content is safe before displaying it.

  17. Otherwise, a malicious user can easily make a

  18. link:http://en.wikipedia.org/wiki/Cross-site_scripting[cross-site scripting

  19. attack] by injecting offensive JavaScript code in such components. See other

  20. sources for more information about cross-site scripting.

  21. 

  22. Offensive code can easily be injected with [literal]#++<script>++# markup or in

  23. tag attributes as events, such as [parameter]#onLoad#.

  24. 

  25. // TODO Consider an example, Alice, Bob, etc.

  26. 

  27. Cross-site scripting vulnerabilities are browser dependent, depending on the

  28. situations in which different browsers execute scripting markup.

  29. 

  30. Therefore, if the content created by one user is shown to other users, the

  31. content must be sanitized. There is no generic way to sanitize user input, as

  32. different applications can allow different kinds of input. Pruning (X)HTML tags

  33. out is somewhat simple, but some applications may need to allow (X)HTML content.

  34. It is therefore the responsibility of the application to sanitize the input.

  35. 

  36. Character encoding can make sanitization more difficult, as offensive tags can

  37. be encoded so that they are not recognized by a sanitizer. This can be done, for

  38. example, with HTML character entities and with variable-width encodings such as

  39. UTF-8 or various CJK encodings, by abusing multiple representations of a

  40. character. Most trivially, you could input [literal]#++<++# and [literal]#++>++#

  41. with [literal]#++&lt;++# and [literal]#++&gt;++#, respectively. The input could

  42. also be malformed and the sanitizer must be able to interpret it exactly as the

  43. browser would, and different browsers can interpret malformed HTML and

  44. variable-width character encodings differently.

  45. 

  46. Notice that the problem applies also to user input from a

  47. [classname]#RichTextArea# is transmitted as HTML from the browser to server-side

  48. and is not sanitized. As the entire purpose of the [classname]#RichTextArea#

  49. component is to allow input of formatted text, you can not just remove all HTML

  50. tags. Also many attributes, such as [parameter]#style#, should pass through the

  51. sanitization.