XML attack vulnerability in some widgets
Added by nourieh sadat zabetzadeh about 2 years ago
Hi
Some wt widgets (including WMessagebox) are vulnerable to xml attack. Is there any solution to this problem?
An example of this vulnerability is the following attack, whitch is executed and an line edit is created, if we give it as text to wmessagebox...
<input>this is a test</input>
Replies (1)
RE: XML attack vulnerability in some widgets - Added by Roel Standaert about 2 years ago
WMessageBox displays its text with TextFormat::XHTML by default. If you want only plaintext, you can set the format on the WText that is used:
messageBox->textWidget()->setTextFormat(Wt::TextFormat::Plain);
When TextFormat::XHTML is used we do some filtering. <input> is not one of the types of tags that is filtered out, though. You can see what is filtered in XSSUtils.C.
I agree, though, that Wt::TextFormat::Plain should probably have been the default.