Reputation: 3652
For setHTML() method, is it still safe If we do not use Safehtml but we validate the String & only accept some limited html tag (Gwt)?
Any widget that has setHTML method could give a hole in security system, but if we validate String & only accept some limited html tags such as <b>, <i>.... And then we put this string into setHTML method.
Then my question is "is it still safe if we do that"
For example, we check the String text to make sure it only contain some limited html tags <b>, </b>, <i>, </i>... If the string text contain other tags then we won't let uses to input that text. Then we use:
html1.setHTML(text); instead of html1.setHTML(SafeHtmlUtils.fromString(text))
i don't know why html1.setHTML(SafeHtmlUtils.fromString(text)) does not generate the formatted text, it just shows plain text when i run it in eclipse? For example
html1.setHTML(SafeHtmlUtils.fromString("<b>text</b>"))
will have plain text result <b>text</b> instead of bold text "text" with correct html format
Upvotes: 0
Views: 1105
Answers (1)
Reputation: 18331
You want to sanitize the html, not escape it. The fromString method is meant to escape the string - if a user types enters a < b, but forgets the space, then adds >c, you don't want the c to be bold and the b to be missing entirely. Escaping is done to actually render the string that is given, assuming it is text.
On the complete other end of the spectrum, you can use fromTrustedString which tells GWT that you absolutely trust the source of the data, and that you will allow it to do anything. This typically should not be done for any data that comes from the user.
Somewhere off to the side of all of the then we have sanitation, the process where you take a string that is meant to be HTML, and ensure it is safe, rather than either treating it like text, or trusting it implicitly. This is hard to do well - any tag that has a style attribute could potentially attack you (this is why GWT has SafeStyle like SafeHtml, any tag that has a uri, url or href could be used to attack (hence SafeUri), and any attribute that the browser treats as a callback such as onclick or the like can be used to run JavaScript. The HtmlSanitizer type is meant to be able to do this.
There is a built-in implementation of this, as of at least GWT 2.4 - SimpleHtmlSanitizer. This class whitelists certain html tags, including your <b> and <i> tags, as well as a few others. Attributes are completely removed, as there are too many cases where they might not be safe. As the class name suggests, this is just a simple approach to this problem - a more complex and in-depth approach might be more true to the original code, but this also comes with the risk of allowing unsafe HTML content.
Upvotes: 2
Related Questions
- Why SafeHtml only shows plain text & does not show formmatted text (GWT)?
- Why setHTML("<table><tr>..</tr></table>"); but then getHTML(); return "<table><tbody><tr>..</tr></tbody></table>" (Gwt)?
- Can SafeHtmlBuilder excapse SafeHtml while still keeping SafeHtml the way it is(GWT)?
- How safely generate HTML pages on GWT?
- Is there a need for GWT SafeHtml when using UiBinder?
- GWT Safe HTML Framework: When to use, and why?
- how to convert my HTML into SafeHtml in GWT
- GWT SimpleHtmlSanitizer
- When using MVC in GWT, is it better to have the model use raw strings or SafeHtml?
- GWT SafeHTML, XSS & Best Practices