We've got a request from out customer to protect out GXT application from the cross-site scripting vulnerability.

My understanding that we need to escape all input text, for example, to substitute '&' for '&' in all inputted text.

Is there any known solution in GXT to make it done generally?

What I did so far is to use


public class SafeHtmlTextField extends TextField<String> {
public SafeHtmlTextField() {
super();
this.setPropertyEditor(new PropertyEditor<String>() {
@Override
public String getStringValue(String value) {
return Format.htmlDecode(value);
}


@Override
public String convertStringValue(String value) {
return Format.htmlEncode(value);
}
});
}
}