Home/ Questions/Q 7787333
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T20:37:53+00:00

Might be a noobish question (most likely) but according to the official developer documents

  • 0

Might be a noobish question (most likely) but according to the official developer documents GWT’s HTML widget is not XSS safe and one must exercise caution when embedding custom HTML/Script text.

So i guess my question is, why does this:

HTML testLabel = new HTML("dada<script type='text/javascript'>document.write('<b>Hello World</b>');</script>");

Not show a javascript popup? If somehow, GWT’s HTML widget does protect from XSS attacks then in what types of situations does it not (so i can know what to expect)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    GWT documentation contains few articles about security (including dealing with XSS using SafeHtml).

    Your example doesn’t work because scripts defined via innerHTML doesn’t get executed in Chrome/Firefox(i think there were some workaround for IE using defer attribute).

    But you shouldn’t rely on this browser restriction.. So it is better to use SafeHtml and always validate inputs from users.

    • 0