XSS Attacks

Hi,

I’m using Vaadin for a major twitter-style website to be launched soon.

Vaadin Book says “You can put raw XHTML content in many components, such as the Label and CustomLayout, as well as in tooltips and notifications.”.
http://vaadin.com/book/-/page/advanced.security.html

There is nowhere describing what Vaadin does against XSS attacks and what vulnerabilities are:

  • Are tooltips and notifications the only vulnerable places?
  • What escaping does Vaadin do in Labels, CustomLayout and other components?
  • Is Vaadin vulnerable only if RAW (X)HTML mode is specified?

Is vaadin safe against all the XSS attacks described here:
http://ha.ckers.org/xss.html
?

Thanks, Klaus

An unofficial answer, but technology doesn’t prevent XSS attacks. If you allow users to post data that includes HTML/JavaScript/etc. and you then show it “as is” without escaping it yourself, then you are allowing XSS.

A Label by itself won’t allow this as it escapes the data as expected. But if you allow it contain XHTML and then allow users to put whatever they want in that Label, then you’ve allowed XSS attacks on your site.

You mean if one of your customer were using CKEditor wrapper for Vaadin, you would advice him to give up as you would not trust in libraries trying to clean the html code from ayny javascript ?

I don’t understand your comments as they seem unrelated to the original question asked or my unofficial answer regarding Vaadin and XSS.

If you allow people to enter HTML, then it is up to you to “clean” it to avoid XSS. The Label class when using XHTML allows you to insert HTML and I’m sure it’s not escaped or anything as you have specifically requested it not be. If you just use the Label “as is” then it will escape for you and you won’t have an XSS issue. But if you tell it you want to allow the HTML to go through untouched, you can’t blame the component.

The CKEditor for Vaadin component isn’t even part of Vaadin and was not part of the question. If you allow unrestricted use of CKEditor (users can enter what they want) and then show the results to other users, you probably will open yourself to XSS attacks. I never said you can’t scrub your data, remove all JavaScript or the like.

In Open eSignForms, external users don’t use CKEditor at all, so we don’t have an XSS issue either. I mean, if the site owner puts the attack in, then I guess we can’t “prevent” that but that’s an absurdity since the site owner can put whatever web site they want. None of this has anything to do with XSS vulnerabilities in Vaadin itself.