[Esapi-user] Tricky encoding question

Chris Schmidt chris.schmidt at owasp.org
Mon Jun 20 17:39:16 EDT 2011 

Best solution yet. :)

On 6/20/2011 3:21 PM, Matthew Presson wrote:
> Thank you all for your responses.
>
> As an aside, I was able to recommend a "better way" to write the above 
> code so as not to require the double encoding.
>
> Original:
>
>     <a HREF=""
>     onClick="window.open('http://www.example.com/app/page.jsp?param1=a&param2=b&param3=
>     <http://www.example.com/app/page.jsp?param1=a&param2=b&param3=><%=request.getParameter("test")%>',
>     'windowRef', '
>     resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
>     return false;">link text</a>
>
>
> "Better" version:
>
>     <a
>     href="http://www.example.com/app/page.jsp?param1=a&param2=b&param3= <http://www.example.com/app/page.jsp?param1=a&param2=b&param3=><%=
>     outputEncoder.encodeForURL(request.getParameter("test")) %>"
>     target="_blank" onclick="window.open(this.href,
>     this.target,'resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
>     return false">
>
>
> Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110620/c7af8940/attachment.html

More information about the Esapi-user mailing list