Security issue with Clients.showNotification

asked 2024-03-22 17:49:45 +0800

dis gravatar image dis flag of Switzerland
140 4


This line in Java class:

image description

shows the message box and executes the JavaScript in the browser.

Is it possible to prevent the execution of that script on browser side? Or is it possible to sanitize the message? If not, its a security issue.

Thanks, Best regards Dieter

delete flag offensive retag edit


if you think an answer is acceptable, please click "checkmark" to accept the answer. thanks :)

hawk ( 2024-04-08 09:20:27 +0800 )edit

1 Answer

Sort by » oldest newest most voted

answered 2024-03-27 11:41:42 +0800

hawk gravatar image hawk
3250 1 5
http://hawkphoenix.blogsp... ZK Team

Thank you for bringing up your concerns regarding the execution of JavaScript through the Clients.showNotification()'. Your observations are indeed accurate. ZK offers a wide range of flexibility through its APIs, including `Clients``, to perform browser-side operations directly from the server. This design choice intentionally avoids automatic escaping of HTML or JavaScript content, under the assumption that the data being manipulated through these APIs originates from a trusted source.

In the context of Clients.showNotification and similar APIs, ZK treats the input as trusted data. This approach aligns with the framework's philosophy to empower developers by offering them the flexibility to implement custom functionality as required by their application's logic.

However, it's crucial to recognize the responsibility that comes with this flexibility, especially in scenarios where the data might originate from or include user-generated content. In such cases, it is the application developers' responsibility to ensure that any data used is properly sanitized before being passed to such methods. Implementing appropriate data sanitization routines helps mitigate potential security risks, such as Cross-site Scripting (XSS) attacks.

For more details, please see https://www.zkoss.org/wiki/ZKDeveloper%27sReference/SecurityTips/Cross-sitescripting#Somemethodsof_Clients

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools




Asked: 2024-03-22 17:49:45 +0800

Seen: 8 times

Last updated: Mar 27

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More