What Tapestry now does for encoding is following if I'm right: in *org.apache.tapestry5.dom.MarkupModel.encode(String)* it encodes only *<*, *>* and *&*
which is not enough following OWASP XSS Prevention Sheet <https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content> for just HTML output. Now I have a Request filter that does encoding on input, but then Tapestry does double encoding on output, which is not optimal at all as it will actually output everything as <, >, ... Changing all output to outputraw does not seem optimal either. What I would like to be able to do is to override this encoding globally on output myself. Maybe even for different locations of output: html, javascript, json, etc. For this I thought of using contributeBindingSource() and adding something like a XSSBindingFactory and use it like following: ${xss:html=someProperty} ${xss:js=someProperty} ... I've just started researching XSS prevention and there seems to be a lot to take care of to be (mostly) safe. If other people also have been researching this, some thoughts, ideas or possible Tapestry implementations are really appreciated. I just hope there's another way than changing all output to outputRaw before applying my own encoding. Nathan On 15/11/13 12:58, Bob Harner wrote: > Sounds like you need to use the OutputRaw component > > On Nov 15, 2013 3:18 AM, "Nathan Quirynen" <nat...@pensionarchitects.be> > wrote: >> Hi, >> >> Tapestry automatically encodes HTML like < to < , which is nice as a >> part of XSS prevention. But we also have some own javascript components >> where this doesnt happen automatically (JSON data). >> >> Is it possible to disable this encoding, so I can just do the encoding >> myself at the moment of data input instead of output (using a >> RequestFilter) ? >> >> Nathan >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >>
