I have the backend with Vaadin UI. I want to protect the backend database from XSS attack. What do you recommend for XSS protection from Vaadin UI?
1 Answers
1
votes
Vaadin has built in XSS protection. All components corretly escaping/encoding the html tags.
BUT: You have the possibility to show "raw" html or js code in some components.
For example the label has the possibility to send the html code unescaped back to your browser. If you do this, then you will be open to attacks. In such cases you will have to make the correct filtering/escapes to prevent XSS attacks.
When a users enters this text in a text field:
<script>alert('test')</script>
Then that very same text, including all < > & ' etc. are saved in the backend/database. No reason to do anything else after all.
When you then read back this from the database, the vaadin components (TextField, Label,...) correctly escape all the required html characters/tags/entities, so that the webbrowser displays this on the screen:
<script>alert('test')</script>
When you use some other kind of web ui, then of course it's the reponsibility of that ui layer to correctly escape all special characters.
More on the links below:
