Get started
Loading...
Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon
TUTORIAL

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

CssImport when using Component Exporter by Mikhail Shabarov, 1 month ago
Recent Posts
Vaadin Forum4. Other

Javascript not executed

Andreas Buechler
10 years ago Jun 30, 2012 9:34pm

I'm doing some tests about XSS under vaadin and wondering why following code does not show up a javascript alert box.
According to Labels it shoud be easy to insert some script code.
What do I mess up?

label.setContentMode(Label.CONTENT_RAW);
label.setValue("<script>alert(\"hello world!\");</script>");
Last updated on Jun, 30th 2012
Jens Jansson
10 years ago Jul 01, 2012 9:34am

Don't know about if you can use labels to execute javascript with ajax and all, but the main way to do it (in Vaadin 6 is through):

getMainWindow().executeJavaScript(String script)

Vaadin 7 has a whole new JS API

Andreas Buechler
10 years ago Jul 02, 2012 7:00am

Thanks Jens

I want to figure out if one really can execute JavaScript and according to this section under Labels it should be possible:

Having Label in RAW, XHTML, or XML content modes allows pure HTML content. If the content comes from user input, you should always carefully sanitize it to prevent cross-site scripting (XSS) attacks. Please see Section 12.9.1, “Sanitizing User Input to Prevent Cross-Site Scripting”.

Under Section 12.9.1 it's written:

Offensive code can easily be injected with <script> markup [...]

So out of my point of view it should be possible to run JavaScript in Labels. It doesn't work though.

Last updated on Jul, 2nd 2012
Jouni Koivuviita
10 years ago Jul 02, 2012 8:54am

This might depend on the browser, if it executes JS injected like this. I don't remember correctly, but I think there was some browsers where it worked and some where it didn't (like 2–3 years ago).

Andreas Buechler
10 years ago Jul 02, 2012 9:40am

I appreciate your answer, Jouni.

So nowadays browsers seem to prohibit JavaScript injection. But how do they recognize that?
As far as I know you can place JavaScript Code within <script> tags everywhere in your HTML page.

If I have a look at the page with Firebug all I can see is that the JavaScript Code was inserted within the <div> of the Label.

Last updated on Jul, 2nd 2012
Henri Sara
10 years ago Jul 02, 2012 10:22am

Code inserted like that is not immediately run by many modern browsers, but can get executed if given e.g. as a response to onmouseover. Some older browsers directly execute the JavaScript even in these cases.

There can be many other tricks beyond using simple events and new XSS protection evasion techniques are being invented every now and then, so the safest approach is to make sure no user written HTML content is shown to a(nother) user.

Andreas Buechler
10 years ago Jul 03, 2012 8:41am

To sum up:

As long as a value of a label can be changed through a user, styling like bold or italic should rather be done with CSS and added to that label than using XML / XHTML tags?!

Last updated on Jul, 3rd 2012
Henri Sara
10 years ago Jul 03, 2012 10:54am

That is the safest approach - not just with Vaadin but all web systems.
This is also one of the reasons why e.g. wiki systems use their own markup rather than HTML directly etc.

Note that using user-written CSS can also be a source of XSS vulnerabilities.

To learn more, search for information about cross-site scripting (XSS).

Andreas Buechler
10 years ago Jul 03, 2012 12:11pm

Thanks Henri, I really appreciate your answer.

For all interested people here, there's a good page out there: https://www.owasp.org/index.php/XSS

Last updated on Jul, 3rd 2012