Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
According to Labels it shoud be easy to insert some script code.
What do I mess up?
label.setContentMode(Label.CONTENT_RAW); label.setValue("<script>alert(\"hello world!\");</script>");
Vaadin 7 has a whole new JS API
Having Label in RAW, XHTML, or XML content modes allows pure HTML content. If the content comes from user input, you should always carefully sanitize it to prevent cross-site scripting (XSS) attacks. Please see Section 12.9.1, “Sanitizing User Input to Prevent Cross-Site Scripting”.
Under Section 12.9.1 it's written:
Offensive code can easily be injected with <script> markup [...]
This might depend on the browser, if it executes JS injected like this. I don't remember correctly, but I think there was some browsers where it worked and some where it didn't (like 2–3 years ago).
I appreciate your answer, Jouni.
There can be many other tricks beyond using simple events and new XSS protection evasion techniques are being invented every now and then, so the safest approach is to make sure no user written HTML content is shown to a(nother) user.
To sum up:
As long as a value of a label can be changed through a user, styling like bold or italic should rather be done with CSS and added to that label than using XML / XHTML tags?!
That is the safest approach - not just with Vaadin but all web systems.
This is also one of the reasons why e.g. wiki systems use their own markup rather than HTML directly etc.
Note that using user-written CSS can also be a source of XSS vulnerabilities.
To learn more, search for information about cross-site scripting (XSS).