[Esapi-user] JavaScript encoding

Jim Manico jim.manico at owasp.org
Wed Aug 18 02:30:06 EDT 2010


Hello folks,

 

I've been trying to get my head wrapped around DOM based XSS and JavaScript
encoding in a way that is easy to communicate to a mass audience. Abe Kang
has been kind enough to talk me though these issues.

 

In my opinion, our JavaScript encoder
ESAPI.encoder().encodeForJavaScript(taint) needs more
explanation/documentation, and the ESAPI for JS project needs to be
integrated in the XSS Cheatsheet more. Abe thinks there are at least 5 new
XSS Cheatsheet rules specific to DOM XSS - and we will be working on it over
the next few weeks. I love this stuff - the rabbit hole never ends. J 

 

So for starters, we edited rule #3 of the XSS Cheatsheet to briefly discuss
illegal JavaScript contexts:

 

http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Che
at_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_
HTML_JavaScript_Data_Values 

 

The long and short of it is - there are some JavaScript contexts that can
NEVER handle user data - even if JavaScript encoded!

 

Try this little chunk of JSP out. Run this in Chrome, so you can kill the
never ending popup easily.. 

 

<script>

window.setInterval('<%= ESAPI.encoder().encodeForJavaScript("alert('I XSS
you Beef');") %>');

</script>

 

Are we on the right track? 

 

Cheers All,

Jim 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100817/9393f209/attachment.html 


More information about the Esapi-user mailing list