This content has been marked as final.
Show 2 replies
-
1. Re: How secure is RichFaces?
nbelaevski May 4, 2009 2:37 PM (in response to javier_castanon)Hello Javier,
RF is secure. There are several components (client-side rendered ones) that are potentially sensitive to XSS attacks. Such components are rich:dragIndicator, rich:contextMenu, rich:progressBar, rich:fileUpload and rich:calendar. Application developer should add checks if application users are allowed to modify data used to build component body, e.g. for livedemo calendar organiser example:<h:outputText value="{data.shortDescription.escapeHTML()}"/>
note the call to escapeHTML() function.
Also please take a look: http://www.jboss.org/community/docs/DOC-13239 -
2. Re: How secure is RichFaces?
javier_castanon May 4, 2009 8:04 PM (in response to javier_castanon)"nbelaevski" wrote:
Hello Javier,
RF is secure. There are several components (client-side rendered ones) that are potentially sensitive to XSS attacks.
Great quote about components that given their nature (client side rendered) have to always be checked. As I see it this is more an Ajax related issue more than a RichFaces one.Application developer should add checks if application users are allowed to modify data used to build component body, e.g. for livedemo calendar organiser example:
<h:outputText value="{data.shortDescription.escapeHTML()}"/>
note the call to escapeHTML() function.
Another good rule of thumb.
Also please take a look: http://www.jboss.org/community/docs/DOC-13239
Thank you very much, I believe it is an excelent complement to http://seamframework.org/Documentation/WebVulnerabilitiesOverview
Thank you very much