Prevent script-injection attacks from user's input

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Prevent script-injection attacks from user's input

Arunachalam Sibisakkaravarthi
Hi guys,
JS script alert is displayed when user input <script>alert('xss
attacks')</script> and submit the form. How to handle this? Basically I
want to prevent Cross-Site-Scripting from user inputs.
Is it possible to do this globally since our Wicket Webapp is big?
I found the below post which is discussed in 2010.
Preventing-user-input-script-injection-attacks
<http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-td3059119.html>



*Thanks And RegardsSibi.ArunachalammCruncher*
Reply | Threaded
Open this post in threaded view
|

Re: Prevent script-injection attacks from user's input

Maxim Solodovnik
You can completely disable inline scripts using strict CSP
And of cause this is you who output the script entered to the page :)
If it is done via Label just remove 'setEscapeModelStrings(false)'

If you need to accept and display HTML input, you can 'sanitize' form value

from mobile (sorry for typos ;)


On Tue, Oct 27, 2020, 07:34 Arunachalam Sibisakkaravarthi <
[hidden email]> wrote:

> Hi guys,
> JS script alert is displayed when user input <script>alert('xss
> attacks')</script> and submit the form. How to handle this? Basically I
> want to prevent Cross-Site-Scripting from user inputs.
> Is it possible to do this globally since our Wicket Webapp is big?
> I found the below post which is discussed in 2010.
> Preventing-user-input-script-injection-attacks
> <
> http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-td3059119.html
> >
>
>
>
> *Thanks And RegardsSibi.ArunachalammCruncher*
>
Reply | Threaded
Open this post in threaded view
|

Re: Prevent script-injection attacks from user's input

Arunachalam Sibisakkaravarthi
Thanks Maxim Solodovnik.
It took me a while to identify the problem.
Your reply helped me, in my case 'setEscapeModelStrings(false)' was set on
the feedback panel.
The problem is solved after removing it.




*Thanks And RegardsSibi.ArunachalammCruncher*


On Tue, Oct 27, 2020 at 9:01 AM Maxim Solodovnik <[hidden email]>
wrote:

> You can completely disable inline scripts using strict CSP
> And of cause this is you who output the script entered to the page :)
> If it is done via Label just remove 'setEscapeModelStrings(false)'
>
> If you need to accept and display HTML input, you can 'sanitize' form value
>
> from mobile (sorry for typos ;)
>
>
> On Tue, Oct 27, 2020, 07:34 Arunachalam Sibisakkaravarthi <
> [hidden email]> wrote:
>
> > Hi guys,
> > JS script alert is displayed when user input <script>alert('xss
> > attacks')</script> and submit the form. How to handle this? Basically I
> > want to prevent Cross-Site-Scripting from user inputs.
> > Is it possible to do this globally since our Wicket Webapp is big?
> > I found the below post which is discussed in 2010.
> > Preventing-user-input-script-injection-attacks
> > <
> >
> http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-td3059119.html
> > >
> >
> >
> >
> > *Thanks And RegardsSibi.ArunachalammCruncher*
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Prevent script-injection attacks from user's input

Ernesto Reinaldo Barreiro-4
Hi,

If you want to make sure none of your developers use his/her fat fingers
you might register at application level a IComponentOnBeforeRenderListener that
checks/sets this to true. If you want to exclude some components you can
create some annotation to mark components that are allowed to have this set
to false.

On Wed, Oct 28, 2020 at 8:57 AM Arunachalam Sibisakkaravarthi <
[hidden email]> wrote:

> Thanks Maxim Solodovnik.
> It took me a while to identify the problem.
> Your reply helped me, in my case 'setEscapeModelStrings(false)' was set on
> the feedback panel.
> The problem is solved after removing it.
>
>
>
>
> *Thanks And RegardsSibi.ArunachalammCruncher*
>
>
> On Tue, Oct 27, 2020 at 9:01 AM Maxim Solodovnik <[hidden email]>
> wrote:
>
> > You can completely disable inline scripts using strict CSP
> > And of cause this is you who output the script entered to the page :)
> > If it is done via Label just remove 'setEscapeModelStrings(false)'
> >
> > If you need to accept and display HTML input, you can 'sanitize' form
> value
> >
> > from mobile (sorry for typos ;)
> >
> >
> > On Tue, Oct 27, 2020, 07:34 Arunachalam Sibisakkaravarthi <
> > [hidden email]> wrote:
> >
> > > Hi guys,
> > > JS script alert is displayed when user input <script>alert('xss
> > > attacks')</script> and submit the form. How to handle this? Basically I
> > > want to prevent Cross-Site-Scripting from user inputs.
> > > Is it possible to do this globally since our Wicket Webapp is big?
> > > I found the below post which is discussed in 2010.
> > > Preventing-user-input-script-injection-attacks
> > > <
> > >
> >
> http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-td3059119.html
> > > >
> > >
> > >
> > >
> > > *Thanks And RegardsSibi.ArunachalammCruncher*
> > >
> >
>


--
Regards - Ernesto Reinaldo Barreiro
Reply | Threaded
Open this post in threaded view
|

Re: Prevent script-injection attacks from user's input

Arunachalam Sibisakkaravarthi
Thanks Ernesto Reinaldo for your suggestion.
In the same context, I want to validate the user's input.
Is there a proper/standard way to validate all Text Fields in a form?
Currently IVisitor is used to iterate components in the form.


*Thanks And RegardsSibi.ArunachalammCruncher*


On Fri, Oct 30, 2020 at 1:49 PM Arunachalam Sibisakkaravarthi <
[hidden email]> wrote:

> Thanks Ernesto Reinaldo for your suggestion.
> In the same context, I want to validate the user's input.
> Is there a proper/standard way to validate all Text Fields in a form?
>
>
>
> *Thanks And RegardsSibi.ArunachalammCruncher*
>
>
> On Wed, Oct 28, 2020 at 5:22 PM Ernesto Reinaldo Barreiro <
> [hidden email]> wrote:
>
>> Hi,
>>
>> If you want to make sure none of your developers use his/her fat fingers
>> you might register at application level a
>> IComponentOnBeforeRenderListener that
>> checks/sets this to true. If you want to exclude some components you can
>> create some annotation to mark components that are allowed to have this
>> set
>> to false.
>>
>> On Wed, Oct 28, 2020 at 8:57 AM Arunachalam Sibisakkaravarthi <
>> [hidden email]> wrote:
>>
>> > Thanks Maxim Solodovnik.
>> > It took me a while to identify the problem.
>> > Your reply helped me, in my case 'setEscapeModelStrings(false)' was set
>> on
>> > the feedback panel.
>> > The problem is solved after removing it.
>> >
>> >
>> >
>> >
>> > *Thanks And RegardsSibi.ArunachalammCruncher*
>> >
>> >
>> > On Tue, Oct 27, 2020 at 9:01 AM Maxim Solodovnik <[hidden email]>
>> > wrote:
>> >
>> > > You can completely disable inline scripts using strict CSP
>> > > And of cause this is you who output the script entered to the page :)
>> > > If it is done via Label just remove 'setEscapeModelStrings(false)'
>> > >
>> > > If you need to accept and display HTML input, you can 'sanitize' form
>> > value
>> > >
>> > > from mobile (sorry for typos ;)
>> > >
>> > >
>> > > On Tue, Oct 27, 2020, 07:34 Arunachalam Sibisakkaravarthi <
>> > > [hidden email]> wrote:
>> > >
>> > > > Hi guys,
>> > > > JS script alert is displayed when user input <script>alert('xss
>> > > > attacks')</script> and submit the form. How to handle this?
>> Basically I
>> > > > want to prevent Cross-Site-Scripting from user inputs.
>> > > > Is it possible to do this globally since our Wicket Webapp is big?
>> > > > I found the below post which is discussed in 2010.
>> > > > Preventing-user-input-script-injection-attacks
>> > > > <
>> > > >
>> > >
>> >
>> http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-td3059119.html
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > > *Thanks And RegardsSibi.ArunachalammCruncher*
>> > > >
>> > >
>> >
>>
>>
>> --
>> Regards - Ernesto Reinaldo Barreiro
>>
>