Reputation: 15789
Are JSF (Java Server Faces) pages sandboxed?
We let our users upload html to our servers. We need a template language so users can insert variables into the rendered output, iterate over lists, etc.. We're currently using JSF as our template language.
If we let users upload xhtml with JSF tags in it, is there anything bad they can do? Or are they sandboxed?
We deliberately avoided JSP because we don't want a user to insert malicious java code in a page that could run on the server.
Upvotes: 4
Views: 101
Answers (1)
Reputation: 11933
JSF pages are not sandboxed, in a security sense. There are scope limitations, but this is not really the same thing (some overlap, but they have different objectives). You should probably not allow the upload of JSF code, but you probably will anyway so screen/sanitize the input as best as possible. Use a whitelist of safe operations if possible. Blacklists are almost always trivial to escape because an enumeration of possible evil values is impossible. Be careful, and get your site professionally penetration tested when you're done to make sure you didn't miss anything obvious.
Upvotes: 1
Related Questions
- What is meant by "the JSF runtime", and how is the "javax.faces.webapp.FacesServlet" related?
- What exactly is java server faces?
- Java Server Faces and Content Security Policy?
- How do I protect JSF 2.0 facelets against direct access?
- Are server side checks necessary using JSF?
- Securing JSF applications
- Is Navigation and Content Management in a page secure using Beans?
- spring web security questions
- Java Server faces
- JSF web page include