Discussion:
Preventing user input script-injection attacks
Ian Marshall
2010-11-25 15:15:40 UTC
Permalink
If a user has entered some HTML in a TextField or TextArea<String> when I do
not want HTML to be entered, what is a good way to prevent this?

Currently, I store the offending strings and then render them using a Label
or MultiLineLabel, but for neither component does

Component.setEscapeModelStrings(true);

have an effect (presumably since this setting is already true by default).

Am I condemned to coding a method to examine the models of my TextField and
TextArea<String> components at form-submission-time and remove any HTML code
manually?

Any comments would be appreciated,

Ian
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html
Sent from the Users forum mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Martin Makundi
2010-11-25 15:42:41 UTC
Permalink
Hi!

I think there are libraries that can provide you with scripting
detection or escaping...

However, "I do not want HTML to be entered" is quite vaque rule. Even
plain alphabets are html.

**
Martin
Post by Ian Marshall
If a user has entered some HTML in a TextField or TextArea<String> when I do
not want HTML to be entered, what is a good way to prevent this?
Currently, I store the offending strings and then render them using a Label
or MultiLineLabel, but for neither component does
 Component.setEscapeModelStrings(true);
have an effect (presumably since this setting is already true by default).
Am I condemned to coding a method to examine the models of my TextField and
TextArea<String> components at form-submission-time and remove any HTML code
manually?
Any comments would be appreciated,
Ian
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Ian Marshall
2010-11-25 17:38:44 UTC
Permalink
Sorry about that. By "I do not want HTML to be entered" I meant "character
strings which are rendered by a browser additional to, or instead of, being
displayed as that character string. Examples are:

<!--

</body>

<onclick='[Some nasty JavaScript]';

Basically, I want to remove nasty code being injected into future rendered
HTML by user input.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059321.html
Sent from the Users forum mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Patrick Petermair
2010-11-25 16:00:10 UTC
Permalink
If a user has entered some HTML in a TextField or TextArea<String> when I do
not want HTML to be entered, what is a good way to prevent this?
In our project we are using OWASP Antisamy to prevent XSS attacks. It is
easy to use, has a couple templates (slashdot, ebay,..) and works like a
charm.

http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
http://code.google.com/p/owaspantisamy/

Regards,
Patrick

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Ian Marshall
2010-11-25 17:39:31 UTC
Permalink
Thanks for that, Patrick.

I'll take a look at these tomorrow to see what they have got.
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059322.html
Sent from the Users forum mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Michał Letyński
2010-11-26 07:14:04 UTC
Permalink
You can also try to use:

http://nekohtml.sourceforge.net/
Post by Ian Marshall
Thanks for that, Patrick.
I'll take a look at these tomorrow to see what they have got.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Igor Vaynberg
2010-11-25 19:18:24 UTC
Permalink
wicket should already escape the markup for you. please provide a
quickstart where it is not doing it.

-igor
Post by Ian Marshall
If a user has entered some HTML in a TextField or TextArea<String> when I do
not want HTML to be entered, what is a good way to prevent this?
Currently, I store the offending strings and then render them using a Label
or MultiLineLabel, but for neither component does
 Component.setEscapeModelStrings(true);
have an effect (presumably since this setting is already true by default).
Am I condemned to coding a method to examine the models of my TextField and
TextArea<String> components at form-submission-time and remove any HTML code
manually?
Any comments would be appreciated,
Ian
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Ian Marshall
2010-11-26 14:34:39 UTC
Permalink
Hello Igor,

I remain an Ant person for now and not a Maven person, so instead of a
quickstart project I attach HTML and Java code for a Wicket test page:


http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.html
PageSpecificTest.html

http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.java
PageSpecificTest.java

I commented out the log output in case you use a different log output method
to me.

This web page accepts input in a TextField and TextArea<String> component,
and after form submission it renders this input in both the original
components and also as copied to a Label and TextArea component
respectively.

My results are that Wicket does indeed escape the mark-up in rendered
components automatically. However, the strings stored in the components'
models are not escaped.

To save you running the attached Wicket web page, I set out my
post-submission results below. Firstly is some log output from the component
models, and then the page source of the four components mentioned above:


26-Nov-2010 13:43:14 [...].PageSpecificTest doSubmit
FINE: g_pstdData data member values are:
sSingleLineInput = "</body>"
sMultiLineInput = "<!--".


<input type="text" wicket:id="sSingleLineInput" size="40" tabindex="1"
value="&amp;lt;/body&amp;gt;" name="sSingleLineInput"/>

&lt;span wicket:id="sSingleLineOutput">&amp;lt;/body&amp;gt;

<textarea wicket:id="sMultiLineInput" cols="50" rows="10" tabindex="2"
name="sMultiLineInput">&amp;lt;!--</textarea>

<textarea wicket:id="sMultiLineOutput" cols="50" rows="10" tabindex="4"
name="sMultiLineOutput">&amp;lt;!--</textarea>


Is this expected Wicket behaviour? If so, then I shall need to strip
scripting from the model strings myself (hopefully using one of the examples
kindly supplied already in this topic). If not, then I submit this post for
your evaluation.

(I raise this topic because I build an address in Java code from several
address elements, each one gathered by a TextField component. I then output
the resultant address, which currently allows scripting through without
having been escaped.)

I looking forward to hearing any views,

Ian
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3060397.html
Sent from the Users forum mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Igor Vaynberg
2010-11-26 16:39:47 UTC
Permalink
yes, we only escape on the output. escaping the input itself makes
little sense. if you want to escape the input before you store it use
Strings.escapeMarkup() util method.

-igor
Post by Ian Marshall
Hello Igor,
I remain an Ant person for now and not a Maven person, so instead of a
http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.html
PageSpecificTest.html
http://apache-wicket.1842946.n4.nabble.com/file/n3060397/PageSpecificTest.java
PageSpecificTest.java
I commented out the log output in case you use a different log output method
to me.
This web page accepts input in a TextField and TextArea<String> component,
and after form submission it renders this input in both the original
components and also as copied to a Label and TextArea component
respectively.
My results are that Wicket does indeed escape the mark-up in rendered
components automatically. However, the strings stored in the components'
models are not escaped.
To save you running the attached Wicket web page, I set out my
post-submission results below. Firstly is some log output from the component
 26-Nov-2010 13:43:14 [...].PageSpecificTest doSubmit
   sSingleLineInput  = "</body>"
   sMultiLineInput   = "<!--".
<input type="text" wicket:id="sSingleLineInput" size="40" tabindex="1"
value="&amp;lt;/body&amp;gt;" name="sSingleLineInput"/>
&lt;span wicket:id="sSingleLineOutput">&amp;lt;/body&amp;gt;
<textarea wicket:id="sMultiLineInput" cols="50" rows="10" tabindex="2"
name="sMultiLineInput">&amp;lt;!--</textarea>
<textarea wicket:id="sMultiLineOutput" cols="50" rows="10" tabindex="4"
name="sMultiLineOutput">&amp;lt;!--</textarea>
Is this expected Wicket behaviour? If so, then I shall need to strip
scripting from the model strings myself (hopefully using one of the examples
kindly supplied already in this topic). If not, then I submit this post for
your evaluation.
(I raise this topic because I build an address in Java code from several
address elements, each one gathered by a TextField component. I then output
the resultant address, which currently allows scripting through without
having been escaped.)
I looking forward to hearing any views,
Ian
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3060397.html
Sent from the Users forum mailing list archive at Nabble.com.
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Ian Marshall
2010-11-29 17:29:49 UTC
Permalink
Igor
----
I was unaware of the class org.apache.wicket.util.string.Strings, let alone
that package. The Strings.escapeMarkup(...) method you mentioned fits my
needs exactly. Thank you.


Michał
------
Thank you also for your tip. I shall be using the Wicket method that Igor
mentioned. I shall also be having a play with that package to see what else
is there!


Regards,

Ian
--
View this message in context: http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3064004.html
Sent from the Users forum mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@wicket.apache.org
For additional commands, e-mail: users-***@wicket.apache.org
Continue reading on narkive:
Loading...