[Esapi-user] JavaScript encoding

Jim Manico jim.manico at owasp.org
Wed Aug 18 02:30:06 EDT 2010

Hello folks,


I've been trying to get my head wrapped around DOM based XSS and JavaScript
encoding in a way that is easy to communicate to a mass audience. Abe Kang
has been kind enough to talk me though these issues.


In my opinion, our JavaScript encoder
ESAPI.encoder().encodeForJavaScript(taint) needs more
explanation/documentation, and the ESAPI for JS project needs to be
integrated in the XSS Cheatsheet more. Abe thinks there are at least 5 new
XSS Cheatsheet rules specific to DOM XSS - and we will be working on it over
the next few weeks. I love this stuff - the rabbit hole never ends. J 


So for starters, we edited rule #3 of the XSS Cheatsheet to briefly discuss
illegal JavaScript contexts:




The long and short of it is - there are some JavaScript contexts that can
NEVER handle user data - even if JavaScript encoded!


Try this little chunk of JSP out. Run this in Chrome, so you can kill the
never ending popup easily.. 



window.setInterval('<%= ESAPI.encoder().encodeForJavaScript("alert('I XSS
you Beef');") %>');



Are we on the right track? 


Cheers All,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100817/9393f209/attachment.html 

More information about the Esapi-user mailing list