i got textbox allows users put image link (ex: http://abc.test.gif) & textbox allows user put alternate text (ex: "this test.gif"), & submit button.
when user clicks on submit buton, program generate <img src="http://abc.test.gif" alt="this test.gif"> string & store db later use.
my question is: need sanitize imagelink "http://abc.test.gif" & text in alt tag "this test.gif"
for example, need use uriutils.issafeuri("http://abc.test.gif"); & safehtmlutils.fromstring("this test.gif"
you deliberately allowing user input want go src , alt attributes of img tag. indeed open kind of xss attack. have here examples still work in recent browsers.
also, storing string in db later use (guessing), attack may occur @ later time, when use such string create node in dom, more unpredictable results.
one solution store url , alternative string in database (with proper input validation, if any), , generate safe img snippet right when need it, simple template following (or programmatically using safehtmlbuilder).
public interface template extends safehtmltemplates { @template("<img src=\"{0}\" alt=\"{1}\"/>") safehtml img(safeuri uri, safehtml alternativetext); } to used like:
template.img( uriutils.fromstring(yourvalidateddburl), safehtmlutils.fromstring(yourvalidatedalternativetext)); this way you:
- validate user input;
- store validated values (as-are);
- generate img snippet in safe way when needed.
Comments
Post a Comment