[Esapi-user] Tricky encoding question

Matthew Presson matthew.presson at gmail.com
Mon Jun 20 17:21:40 EDT 2011


Thank you all for your responses.

As an aside, I was able to recommend a "better way" to write the above code
so as not to require the double encoding.

Original:

> <a HREF=""
> onClick="window.open('
> http://www.example.com/app/page.jsp?param1=a&param2=b&param3=<%=request.getParameter("test")%>',
> 'windowRef', '
> resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
> return false;">link text</a>


"Better" version:

> <a href="http://www.example.com/app/page.jsp?param1=a&param2=b&param3=<%=
> outputEncoder.encodeForURL(request.getParameter("test")) %>"
> target="_blank" onclick="window.open(this.href, this.target,'
> resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
> return false">


Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110620/fbf97eca/attachment.html 


More information about the Esapi-user mailing list