How secure is RichFaces?

javier_castanon May 4, 2009 12:50 PM

ICEfaces claims to be the most secure Ajax solution on the market today:

http://www.icefaces.org/main/ajax-java/whyicefaces.iface

They even have a somehow outdated paper about AJAX security. Does anybody know about a similar resource regarding RichFaces security? I'm afraid I'd have to assemble one myself.

Javier

1. Re: How secure is RichFaces?

nbelaevski May 4, 2009 2:37 PM (in response to javier_castanon)
Hello Javier,

RF is secure. There are several components (client-side rendered ones) that are potentially sensitive to XSS attacks. Such components are rich:dragIndicator, rich:contextMenu, rich:progressBar, rich:fileUpload and rich:calendar. Application developer should add checks if application users are allowed to modify data used to build component body, e.g. for livedemo calendar organiser example:
<h:outputText value="{data.shortDescription.escapeHTML()}"/>
note the call to escapeHTML() function.

Also please take a look: http://www.jboss.org/community/docs/DOC-13239
Actions
2. Re: How secure is RichFaces?

javier_castanon May 4, 2009 8:04 PM (in response to javier_castanon)
"nbelaevski" wrote:
Hello Javier,

RF is secure. There are several components (client-side rendered ones) that are potentially sensitive to XSS attacks.

Great quote about components that given their nature (client side rendered) have to always be checked. As I see it this is more an Ajax related issue more than a RichFaces one.

Application developer should add checks if application users are allowed to modify data used to build component body, e.g. for livedemo calendar organiser example:
<h:outputText value="{data.shortDescription.escapeHTML()}"/>
note the call to escapeHTML() function.

Another good rule of thumb.

Also please take a look: http://www.jboss.org/community/docs/DOC-13239

Thank you very much, I believe it is an excelent complement to http://seamframework.org/Documentation/WebVulnerabilitiesOverview

Thank you very much
Actions

Go to original post