Skip to end of metadata
Go to start of metadata

Escaping or Sanitizing HTML

Overview

A field that is user-editable and later displayed somewhere in the GUI as static text should have any HTML within its value either escaped or sanitized to prevent a user from being able to include malicious JavaScript (e.g. <script>document.write('<b>Hello World</b>');</script>) in the value that would be executed by the browser (a cross-site scripting (XSS) attack). Examples of such fields in RHQ are a Resource's name or description, an alert definition's name or description, or a bundle's name or description.

Escaping Versus Sanitizing

In most cases, values should be escaped, which means converting '<', '>', and '&' to the corresponding HTML entities, effectively converting any HTML tags to harmless text. This is desirable because it not only prevents XSS attacks, but it also prevents HTML or CSS in values from messing up the look or feel of the GUI. For example, if a user entered "<h1>foobar</h1>" as the name of a Resource, displaying that name as unescaped HTML would cause the name to be displayed in an obnoxiously large font, which would throw off the rest of the page.

In a few exceptional cases, a field is intended to allow the user to include HTML in its value (e.g. the message portlet on the dashboard). In such cases, we do not want to escape the HTML, but we still need to "sanitize" it (i.e. remove or escape any "unsafe" HTML tags such as <script>).

Places That Need Escaping or Sanitizing

There are a few different places where user-editable field values need to be either escaped or sanitized:

  1. StaticTextItems values
  2. ListGrid/TreeGrid record values (use EscapedHtmlCellFormatter to escape these)
  3. message center Message values
    others?

Note, for TableSection subclasses, the cell formatter for the details link column is handled by the TableSection class. If that column's value needs to be escaped, TableSection can be told to do so by calling setEscapeHtmlInDetailsLinkColumn(true) in the subclass's constructor.

How to Escape and Sanitize

To escape a value:

To sanitize a value:

The sanitizeHtml() method is currently very weak and handles only a small subset of unsafe HTML. Once we upgrade to GWT 2.1 or later, we should replace it with the new safe HTML APIs provided by GWT.

Bugzilla

We have a tracker BZ issue with the alias "gwt-sec" for GWT security:

https://bugzilla.redhat.com/showdependencytree.cgi?id=gwt-sec&hide_resolved=1

If you find some place in the GUI where user-editable field values are not escaped, create a new BZ issue and make it a blocker of gwt-sec.

Labels:
cross-site-scripting cross-site-scripting Delete
security security Delete
xss xss Delete
gwt gwt Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.