diff --git a/articles/framework/advanced/advanced-urifu.asciidoc b/articles/framework/advanced/advanced-urifu.asciidoc index 1c179ade44..fef7b8ae33 100644 --- a/articles/framework/advanced/advanced-urifu.asciidoc +++ b/articles/framework/advanced/advanced-urifu.asciidoc @@ -108,6 +108,8 @@ public class MyUI extends UI { } void enter(String fragment) { + // it is good practice to not use the fragment directly but to sanitize it first + // since it can be set by the user ... initialize the UI ... } } @@ -155,7 +157,7 @@ public class MyCustomServlet extends VaadinServlet Writer writer = response.getWriter(); writer.append("
"+ "Here is some crawlable "+ - "content about " + fragment + "
"); + "content about " + sanitizeHtmlFragment(fragment) + ""); // A list of all crawlable pages String items[] = {"mercury", "venus", @@ -172,6 +174,11 @@ public class MyCustomServlet extends VaadinServlet } else super.service(request, response); } + + private String sanitizeHtmlFragment(String s){ + // return a String that is safe to use in HTML + ... implementation ... + } } ---- diff --git a/articles/framework/articles/AccessingWebPageAndBrowserInformation.asciidoc b/articles/framework/articles/AccessingWebPageAndBrowserInformation.asciidoc index 7f67ac886c..c354f7aa4e 100644 --- a/articles/framework/articles/AccessingWebPageAndBrowserInformation.asciidoc +++ b/articles/framework/articles/AccessingWebPageAndBrowserInformation.asciidoc @@ -38,6 +38,14 @@ page.addUriFragmentChangedListener(new UriFragmentChangedListener() { }); .... +Note: HTML is disabled by default in Notifications, but can be enabled with +[methodname]#setHtmlContentAllowed(true)#. When enabled, you can use any HTML +markup in the caption and description of a notification. If it is in any way +possible to get the notification content from user input, you should either +disallow HTML or sanitize the content carefully, as noted in +<<../advanced/advanced-security#advanced.security.sanitizing,"Sanitizing +User Input to Prevent Cross-Site Scripting">>. + You can access client browser details: [source,java]