Is it possible to use GWT's SafeHTML templates to define an activeXControl? If I don't use the SafeHTML mechanism, it all works fine....however if I try to use SafeHTML it replaces my input classid with a "#".
Is SafeHTML blocking the use of classid?
Thanks!
SafeHtml sanitizes URLs that you try to "inject" into attributes that it knows are of type URL. This sanitization only accepts HTTP, HTTPS, FTP and MAILTO.
You can use other URLs but you have to explicitly say they're safe to use, by passing them as SafeUri instances. You'll create such instances using UriUtils.fromTrustedString or UriUtils.fromSafeConstant.
Related
Twig does a great job of sanitizing dangerous user input. However, I'm building a particular web app where I want to allow users to post clickable URL links in public comments. Is there some way I can make Twig not sanitize URL links, but still sanitize everything else?
You can use the raw filter to prevent HTML from being escaped:
{{ some_html|raw }}
Or maybe a better option would be to use it with the striptags filter and whitelist <a> tags:
{{ some_html|striptags('<a>')|raw }}
Internally, Twig uses the PHP strip_tags function. Note that its documentation has this warning:
Warning
This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.
See TwigFiddle.
From the tutorial
But there's a problem! Our rendered comments look like this in the
browser: "<p>This is <em>another</em> comment</p>". We want those tags
to actually render as HTML.
That's React protecting you from an XSS attack. There's a way to get
around it but the framework warns you not to use it:
...
<span dangerouslySetInnerHTML={{__html: rawMarkup}} />
This is a special API that intentionally makes it difficult to insert raw HTML, but for Showdown we'll take advantage of this backdoor.
Remember: by using this feature you're relying on Showdown to be secure.
So there exists an API for inserting raw HTML, but the method name and the docs all warn against it. Is it safe to use this? For example, I have a chat app that takes Markdown comments and converts them to HTML strings. The HTML snippets are generated on the server by a Markdown converter. I trust the converter, but I'm not sure if there's any way for a user to carefully craft Markdown to exploit XSS. Is there anything else I should be doing to make sure this is safe?
Most Markdown processors (and I believe Showdown as well) allow the writer to use inline HTML. For example a user might enter:
This is _markdown_ with a <marquee>ghost from the past</marquee>. Or even **worse**:
<script>
alert("spam");
</script>
As such, you should have a whitelist of tags and strip all the other tags after converting from markdown to html. Only then use the aptly named dangerouslySetInnerHTML.
Note that this also what Stackoverflow does. The above Markdown renders as follows (without you getting an alert thrown in your face):
This is markdown with a ghost from the past. Or
even worse:
alert("spam");
There are three reasons it's best to avoid html:
security risks (xss, etc)
performance
event listeners
The security risks are largely mitigated by markdown, but you still have to decide what you consider valid, and ensure it's disallowed (maybe you don't allow images, for example).
The performance issue is only relevant when something will change in the markup. For example if you generated html with this: "Time: <b>" + new Date() + "</b>". React would normally decide to only update the textContent of the <b/> element, but instead replaces everything, and the browser must reparse the html. In larger chunks of html, this is more of a problem.
If you did want to know when someone clicks a link in the results, you've lost the ability to do so simply. You'd need to add an onClick listener to the closest react node, and figure out which element was clicked, delegating actions from there.
If you would like to use Markdown in React, I recommend a pure react renderer, e.g. vjeux/markdown-react.
I am using the javax.faces.render.Renderer class to render my custom components. I override either encodeBegin or encodeEnd to achieve my desired output.
I would like to know when should I use either of these methods? Is there any guideline on when should encodeBegin and encodeEnd be used?
That depends on the component tree hierarchy. Key is, do you expect children? How do you want the encoded output to look like when there are children?
Usually, you use encodeBegin() if you want to encode output before children are encoded. E.g. a start tag like HTML <div>. Usually, you use encodeEnd() if you want to encode output after children are encoded. E.g. an end tag like HTML </div>. Or perhaps an additional <script> which should work on the before-generated <div>.
Does anyone know if I could use custom HTML attributes in a Web Page, most of mobile devices could read it? or some devices will omit attributes as a default way? In other words: Most default web-browsers installed into mobile devices has the ability to process custom attributes?
I have some code like this:
<input type="text" id="txt1" value="0" percent="50" idColor="12">
the items you are talking about are attributes. If the webbrowser doesn't understand a particular attribute it should ignore them.
Modern browsers generally treat unknown attributes as properties assigned to elements, without any default impact, but recognized as attributes in CSS and JavaScript. In your case, for example, the CSS selector input[idColor] would match those input elements that have the attribute idColor, even though such an attribute is not defined in HTML specs.
In JavaScript, however, they are normally not available directly as properties, so e.g. document.getElementById('txt1').percent would yield undefined, though there are browser differences. But document.getElementById('txt1').getAttribute('percent') would yield 50.
I would expect this to apply to mobile browsers, too, though I only tested this on Android.
It is however unsafe to make up your own attribute names in HTML. What happens if some future HTML spec, or just some browser, assigns a meaning to an attribute called percent? The meaning could be quite surprising, for all that we can now.
Therefore the recommended way to use attributes that carry arbitrary data for use in client side scripting is to use names that start with data-. This gives you your own naming space to play with. No reasonable browser or search engine will ever treat such attributes as anything but page author’s private playground, not to be messed up with. So it would be better to use e.g. data-percent="50" data-color="12".
in my application i have some tinymce editors and the userinput is shown with
<h:outputText escape="false"/>
but how can i prevent malicious input, like javascript or iframes? Is there any lib which can filter the input strings?
UPDATE:
i found "htmlpurifier" but it is for php, is there anyting like this for java?
You'd need to use a HTML parser which supports cleaning/whitelisting tags/attributes. Among them there's Jsoup, it has a clean() method for exactly this purpose. Here's an extract of relevance from its site.
Sanitize untrusted HTML
Problem
You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.
Solution
Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.
String unsafe =
"<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
// now: <p>Link</p>