In most cases, values should be escaped, which means converting '<', '>', and '&' to the corresponding HTML entities, effectively converting any HTML tags to harmless text. This is desirable because it not only prevents XSS attacks, but it also prevents HTML or CSS in values from messing up the look or feel of the GUI. For example, if a user entered "<h1>foobar</h1>" as the name of a Resource, displaying that name as unescaped HTML would cause the name to be displayed in an obnoxiously large font, which would throw off the rest of the page.
In a few exceptional cases, a field is intended to allow the user to include HTML in its value (e.g. the message portlet on the dashboard). In such cases, we do not want to escape the HTML, but we still need to "sanitize" it (i.e. remove or escape any "unsafe" HTML tags such as <script>).
There are a few different places where user-editable field values need to be either escaped or sanitized:
- StaticTextItems values
- ListGrid/TreeGrid record values (use EscapedHtmlCellFormatter to escape these)
- message center Message values
Note, for TableSection subclasses, the cell formatter for the details link column is handled by the TableSection class. If that column's value needs to be escaped, TableSection can be told to do so by calling setEscapeHtmlInDetailsLinkColumn(true) in the subclass's constructor.
To escape a value:
To sanitize a value:
|The sanitizeHtml() method is currently very weak and handles only a small subset of unsafe HTML. Once we upgrade to GWT 2.1 or later, we should replace it with the new safe HTML APIs provided by GWT.|
We have a tracker BZ issue with the alias "gwt-sec" for GWT security:
If you find some place in the GUI where user-editable field values are not escaped, create a new BZ issue and make it a blocker of gwt-sec.