Javascript not executed

I’m doing some tests about XSS under vaadin and wondering why following code does not show up a javascript alert box.
According to
Labels
it shoud be easy to insert some script code.
What do I mess up?

label.setContentMode(Label.CONTENT_RAW);
label.setValue("<script>alert(\"hello world!\");</script>");

Don’t know about if you can use labels to execute javascript with ajax and all, but the main way to do it (in Vaadin 6 is through):

getMainWindow().executeJavaScript(String script)

Vaadin 7 has a whole new JS API

Thanks Jens

I want to figure out if one really can execute JavaScript and according to this section under Labels it should be possible:

Under Section 12.9.1 it’s written:

So out of my point of view it should be possible to run JavaScript in Labels. It doesn’t work though.

This might depend on the browser, if it executes JS injected like this. I don’t remember correctly, but I think there was some browsers where it worked and some where it didn’t (like 2–3 years ago).

I appreciate your answer, Jouni.

So nowadays browsers seem to prohibit JavaScript injection. But how do they recognize that?
As far as I know you can place JavaScript Code within [i]

[/i] tags everywhere in your HTML page. If I have a look at the page with Firebug all I can see is that the JavaScript Code was inserted within the [i]
[/i] of the Label.

Code inserted like that is not immediately run by many modern browsers, but can get executed if given e.g. as a response to onmouseover. Some older browsers directly execute the JavaScript even in these cases.

There can be many other tricks beyond using simple events and new XSS protection evasion techniques are being invented every now and then, so the safest approach is to make sure no user written HTML content is shown to a(nother) user.

To sum up:

As long as a value of a label can be changed through a user, styling like bold or italic should rather be done with CSS and added to that label than using XML / XHTML tags?!

That is the safest approach - not just with Vaadin but all web systems.
This is also one of the reasons why e.g. wiki systems use their own markup rather than HTML directly etc.

Note that using user-written CSS can also be a source of XSS vulnerabilities.

To learn more, search for information about cross-site scripting (XSS).

Thanks Henri, I really appreciate your answer.

For all interested people here, there’s a good page out there:
https://www.owasp.org/index.php/XSS