Cross-site scripting
This documentation is for an older version of ZK. For the latest one, please click here.
Overview
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection.
To prevent from XSS attack, ZK component encodes any value that might be input by an user, such as the value of label and textbox, by escaping & and other unsafe characters. For example, the following statement is totally safe no matter what the value of any_value
might be:
<textbox value="${any_value}"/>
However, there are still some notes worth to pay attention to.
The content Property of html and comboitem
The content property of the html and combitem components are designed to allow application to generate HTML content directly. In other words, it is not encoded. Thus, it is better to carry the value input by an user, unless it is encoded property. For example, if the value of any_content
is, in the following example, generated directly and vulnerable to XSS attack if it is the value provided by an user and without proper encoding.
<html>${any_content}</html>
- Java API: Html.setContent(String) and Comboitem.setContent(String)
Since ZK is a framework that needs to output functioning HTML, Javascript and CSS code it can't prevent all kinds of XSS attack vectors. Especially when using unchecked functionality or when implementing custom components XSS needs to be considered. (Of course if there are XSS problems within the frameworks please don't hesitate to report them to us so we can fix them.) So there is a responsibility at the application developer's side as well to handle user input with additional care.
XSS Cheat sheet
As the number of possible attacking methods seems overwhelming and is growing over time - making it hard to follow and understand and each single method - the OWASP maintains a XSS Prevention Cheat Sheet showing best practices how to prevent attacks even without knowing all the details of every single exploit.