I am testing whether I can inject script code into a website which is using smartgwt and then queried out the input string to run the script.
I first input the following string into a text field on a webpage and submitted:
"<script>alert(1)</script>"(without double quotes),
then I queried out the input string which is loaded through a smartgwt table component.
With a HTML debug tool, I can see that the input string was placed inside a <nobr> tag inside a <td> tag, the HTML characters inside the input string wasn't encoded, but the alert(1) code doesn't execute and no popup was shown, does smartgwt handle the XSS automatically, or there is other reason that the script isn't executed?