Tags
People
Badges
Help-
CORE FRAMEWORK
FEATURED COMPONENTS
-
RESOURCES
-
LEARN ZK
RESOURCES
Hi
This line in Java class:
shows the message box and executes the JavaScript in the browser.
Is it possible to prevent the execution of that script on browser side? Or is it possible to sanitize the message? If not, its a security issue.
Thanks, Best regards Dieter
Thank you for bringing up your concerns regarding the execution of JavaScript through the Clients.showNotification()'. Your observations are indeed accurate. ZK offers a wide range of flexibility through its APIs, including `Clients``, to perform browser-side operations directly from the server. This design choice intentionally avoids automatic escaping of HTML or JavaScript content, under the assumption that the data being manipulated through these APIs originates from a trusted source.
In the context of Clients.showNotification and similar APIs, ZK treats the input as trusted data. This approach aligns with the framework's philosophy to empower developers by offering them the flexibility to implement custom functionality as required by their application's logic.
However, it's crucial to recognize the responsibility that comes with this flexibility, especially in scenarios where the data might originate from or include user-generated content. In such cases, it is the application developers' responsibility to ensure that any data used is properly sanitized before being passed to such methods. Implementing appropriate data sanitization routines helps mitigate potential security risks, such as Cross-site Scripting (XSS) attacks.
For more details, please see https://www.zkoss.org/wiki/ZKDeveloper%27sReference/SecurityTips/Cross-sitescripting#Somemethodsof_Clients
Asked: 2024-03-22 17:49:45 +0800
Seen: 8 times
Last updated: Mar 27
if you think an answer is acceptable, please click "checkmark" to accept the answer. thanks :)
hawk ( 2024-04-08 09:20:27 +0800 )edit