Escaping HTML strings from the client as a good practice to avoid XSS vulnerabilities in apps the build off of the default app.
Review at http://gwt-code-reviews.appspot.com/619803
Review by: mmendez@google.com
git-svn-id: https://google-web-toolkit.googlecode.com/svn/trunk@8293 8db76d5a-ed1c-0410-87a9-c151d255dfc7
diff --git a/user/src/com/google/gwt/user/tools/RpcServerTemplate.javasrc b/user/src/com/google/gwt/user/tools/RpcServerTemplate.javasrc
index 8d00ff5..5d55023 100644
--- a/user/src/com/google/gwt/user/tools/RpcServerTemplate.javasrc
+++ b/user/src/com/google/gwt/user/tools/RpcServerTemplate.javasrc
@@ -22,7 +22,27 @@
String serverInfo = getServletContext().getServerInfo();
String userAgent = getThreadLocalRequest().getHeader("User-Agent");
+
+ // Escape data from the client to avoid cross-site script vulnerabilities.
+ input = escapeHtml(input);
+ userAgent = escapeHtml(userAgent);
+
return "Hello, " + input + "!<br><br>I am running " + serverInfo
+ ".<br><br>It looks like you are using:<br>" + userAgent;
}
+
+ /**
+ * Escape an html string. Escaping data received from the client helps to
+ * prevent cross-site script vulnerabilities.
+ *
+ * @param html the html string to escape
+ * @return the escaped string
+ */
+ private String escapeHtml(String html) {
+ if (html == null) {
+ return null;
+ }
+ return html.replaceAll("&", "&").replaceAll("<", "<").replaceAll(
+ ">", ">");
+ }
}
