mugle-dev team mailing list archive

[Matt Giuca <matt.giuca@xxxxxxxxx>]

I've noticed some use of the HTML class for generating some views. I
understand this is temporary code but please do not use this when you are
making production-quality views. They allow HTML injections. For example,
this code in UserViewBuilder:

        datatable.add(new HTML("UserName: <br />" + result.getUrlName() +
"<br />"));
        datatable.add(new HTML("Full Name: <br />" + result.getFullName() +
"<br />"));
        datatable.add(new HTML("Email: <br />" + result.getEmail() + "<br
/>"));
        datatable.add(new HTML("Role: <br />" + result.getRole() + "<br
/>"));

Reminds me of PHP code. I was able to sign in with a user called
"<b>matt</b>" and when I visited this page it displayed my name in bold. A
user could potentially get JavaScript injected this way. You should not be
inserting user-supplied strings into HTML like this. Instead, you should be
creating layouts, for example, creating Label or TextBox elements, and
setting their text attribute. Then GWT will take care of setting the HTML
contents.