I am testing whether I can inject script code into a website which is using smartgwt and then queried out the input string to run the script.
I first input the following string into a text field on a webpage and saved(without double quotes):
"<script>alert(1)</script>",
then I queried out the input string which is loaded through a smartgwt table component. With a HTML debug tool, I can see that the input string was placed inside a <nobr> tag inside a <td> tag, the HTML characters inside the input string wasn't encoded, but the `alert(1)` code doesn't execute and no popup was shown, does smartgwt handle the XSS automatically, or there is other reason that the script isn't executed?
I first input the following string into a text field on a webpage and saved(without double quotes):
"<script>alert(1)</script>",
then I queried out the input string which is loaded through a smartgwt table component. With a HTML debug tool, I can see that the input string was placed inside a <nobr> tag inside a <td> tag, the HTML characters inside the input string wasn't encoded, but the `alert(1)` code doesn't execute and no popup was shown, does smartgwt handle the XSS automatically, or there is other reason that the script isn't executed?