5. “SELECT * FROM Users WHERE username=’”
+ userNameField.getValue() + “‘“
Not just SQL - could also be JPQL, HQL, shell,
XPath, XML, LDAP, regex, eval, ...
torsdag 19 december 13
12. Web frameworks can help
GWT
Vaadin
• setText
• SafeHtml
• setHtmlContentAllo
wed(false)
• Beware of tooltips
(setDescription)
torsdag 19 december 13
13. Other things to keep in
mind
Consider e.g. Markdown
instead of HTML for formatting
Different handling needed in
different contexts
Feel the power of the XSS filter
evasion cheat sheet
torsdag 19 december 13
15. Web frameworks can help
GWT
Vaadin
• Not so much, since
this is mostly a
server-side thing
• Can be hard to
realize the problem
since requests are
“invisible”
• All ids are
generated values
that the server uses
to find the right
object when
needed
torsdag 19 december 13
25. Web frameworks can help
GWT
Vaadin
• GWT-RPC:
XsrfTokenService
and/or
HasRpcToken
• RequestFactory:
Make your own
RequestTransport
• Secured out of the
box
torsdag 19 december 13