I’m doing some tests about XSS under vaadin and wondering why following code does not show up a javascript alert box.
According to
Labels it shoud be easy to insert some script code.
What do I mess up?
This might depend on the browser, if it executes JS injected like this. I don’t remember correctly, but I think there was some browsers where it worked and some where it didn’t (like 2–3 years ago).
So nowadays browsers seem to prohibit JavaScript injection. But how do they recognize that?
As far as I know you can place JavaScript Code within [i]
[/i] tags everywhere in your HTML page.
If I have a look at the page with Firebug all I can see is that the JavaScript Code was inserted within the [i]
Code inserted like that is not immediately run by many modern browsers, but can get executed if given e.g. as a response to onmouseover. Some older browsers directly execute the JavaScript even in these cases.
There can be many other tricks beyond using simple events and new XSS protection evasion techniques are being invented every now and then, so the safest approach is to make sure no user written HTML content is shown to a(nother) user.
As long as a value of a label can be changed through a user, styling like bold or italic should rather be done with CSS and added to that label than using XML / XHTML tags?!
That is the safest approach - not just with Vaadin but all web systems.
This is also one of the reasons why e.g. wiki systems use their own markup rather than HTML directly etc.
Note that using user-written CSS can also be a source of XSS vulnerabilities.
To learn more, search for information about cross-site scripting (XSS).