Re: [Wicket-user] JavaScript Hijacking

Wed, 11 Apr 2007 01:57:42 -0700 

Hi!

<snip>
> If you have e.g. blog application that allows users to enter comment
> that other users can see, always escape the <script> tags, so that
> user can't post <script< tag in a comment, as this can be used to
> steal other user's confidential informations.
>   
</snip>

That's a very good point. Basically transforming all html control chars 
into html entities is a good idea.
You can also execute javascript like this: <body 
onload="alert('xss')"></body> or even like this, without < and >:
(if this value is put into a textfield's value attribute): " 
onchange="alert('xss')

- Johannes


> -Matej
>
> On 4/6/07, Niels Bo <[EMAIL PROTECTED]> wrote:
>   
>> Hi!
>>
>> How protected is Wicket against "JavaScript Hijacking", as described in this
>> paper?
>>
>> http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
>> http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
>>
>>
>> Best Regards
>> Niels Bo
>> --
>> View this message in context: 
>> http://www.nabble.com/JavaScript-Hijacking-tf3536320.html#a9870835
>> Sent from the Wicket - User mailing list archive at Nabble.com.
>>
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share your
>> opinions on IT & business topics through brief surveys-and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Wicket-user mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/wicket-user
>>
>>     
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Wicket-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/wicket-user
>
>   


-- 

   Johannes Fahrenkrug
   Tel:    +49 (0)431 5446 246
   Fax:    +49 (0)431 5446 248
   E-Mail: [EMAIL PROTECTED]

   Gebeco GmbH & Co KG
   Holzkoppelweg 19
   D-24118 Kiel

   Handelsregister Kiel Nr. A 3964
   Steuernummer: 19 285 65407

   Geschäftsführung:
   Ury Steinweg, Vorsitzender der Geschäftsführung
   Thomas Bohlander

   Besuchen Sie uns auch unter / we are also available at:
   www.gebeco.de oder www.drtigges.de 


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user

Reply via email to