Important Notice - Forums is archived
To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
Javascript not executed
I'm doing some tests about XSS under vaadin and wondering why following code does not show up a javascript alert box.
According to Labels it shoud be easy to insert some script code.
What do I mess up?
label.setContentMode(Label.CONTENT_RAW);
label.setValue("<script>alert(\"hello world!\");</script>");
Don't know about if you can use labels to execute javascript with ajax and all, but the main way to do it (in Vaadin 6 is through):
getMainWindow().executeJavaScript(String script)
Vaadin 7 has a whole new JS API
Thanks Jens
I want to figure out if one really can execute JavaScript and according to this section under Labels it should be possible:
Having Label in RAW, XHTML, or XML content modes allows pure HTML content. If the content comes from user input, you should always carefully sanitize it to prevent cross-site scripting (XSS) attacks. Please see Section 12.9.1, “Sanitizing User Input to Prevent Cross-Site Scripting”.
Under Section 12.9.1 it's written:
Offensive code can easily be injected with <script> markup [...]
So out of my point of view it should be possible to run JavaScript in Labels. It doesn't work though.
This might depend on the browser, if it executes JS injected like this. I don't remember correctly, but I think there was some browsers where it worked and some where it didn't (like 2–3 years ago).
I appreciate your answer, Jouni.
So nowadays browsers seem to prohibit JavaScript injection. But how do they recognize that?
As far as I know you can place JavaScript Code within <script> tags everywhere in your HTML page.
If I have a look at the page with Firebug all I can see is that the JavaScript Code was inserted within the <div> of the Label.
Code inserted like that is not immediately run by many modern browsers, but can get executed if given e.g. as a response to onmouseover. Some older browsers directly execute the JavaScript even in these cases.
There can be many other tricks beyond using simple events and new XSS protection evasion techniques are being invented every now and then, so the safest approach is to make sure no user written HTML content is shown to a(nother) user.
To sum up:
As long as a value of a label can be changed through a user, styling like bold or italic should rather be done with CSS and added to that label than using XML / XHTML tags?!
That is the safest approach - not just with Vaadin but all web systems.
This is also one of the reasons why e.g. wiki systems use their own markup rather than HTML directly etc.
Note that using user-written CSS can also be a source of XSS vulnerabilities.
To learn more, search for information about cross-site scripting (XSS).
Thanks Henri, I really appreciate your answer.
For all interested people here, there's a good page out there: https://www.owasp.org/index.php/XSS