[Esapi-user] Tricky encoding question

Mon Jun 20 17:48:16 EDT 2011

That’s an excellent point and something that we often forget. ESAPI and the OWASP Cheatsheets are all about trying to keep you on a safe path.  If you try hard enough, there are ways to use just about anything insecurely.

In the XSS Cheatsheet <https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet> , Rule 0 is probably the most important…. “Never Insert Untrusted Data Except in Allowed Locations”.   I just updated it with a note to avoid “nested contexts”

--Jeff

From: Chris Schmidt [mailto:chris.schmidt at owasp.org] 
Sent: Monday, June 20, 2011 5:39 PM
To: Matthew Presson
Cc: Jeff Williams; esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] Tricky encoding question

Best solution yet. :)

On 6/20/2011 3:21 PM, Matthew Presson wrote: 

Thank you all for your responses. 

As an aside, I was able to recommend a "better way" to write the above code so as not to require the double encoding.

Original:

<a HREF=""
onClick="window.open('http://www.example.com/app/page.jsp?param1=a&param2=b&param3=<%=request.getParameter("test")%>', 'windowRef', '
resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800'); return false;">link text</a>

"Better" version:

	<a href="http://www.example.com/app/page.jsp?param1=a&param2=b&param3=<%= outputEncoder.encodeForURL(request.getParameter("test")) %>" target="_blank" onclick="window.open(this.href, this.target,'resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800'); return false">

Matt 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110620/7bc70ff0/attachment-0001.html 