PDA

View Full Version : Cross site scripting



andreiastra
23 Nov 2011, 3:41 AM
We've got a request from out customer to protect out GXT application from the cross-site scripting vulnerability.

My understanding that we need to escape all input text, for example, to substitute '&' for '&' in all inputted text.

Is there any known solution in GXT to make it done generally?

andreiastra
23 Nov 2011, 7:51 AM
What I did so far is to use


public class SafeHtmlTextField extends TextField<String> {
public SafeHtmlTextField() {
super();
this.setPropertyEditor(new PropertyEditor<String>() {
@Override
public String getStringValue(String value) {
return Format.htmlDecode(value);
}


@Override
public String convertStringValue(String value) {
return Format.htmlEncode(value);
}
});
}
}