[Esapi-user] Tricky encoding question

Jim Manico jim.manico at owasp.org
Mon Jun 20 17:55:59 EDT 2011


Jeff,

Most advanced modern AJAX apps are full of nested contexts, I'm not sure
if this is something that developers can reasonably avoid.

- Jim

> That’s an excellent point and something that we often forget. ESAPI and
> the OWASP Cheatsheets are all about trying to keep you on a safe path. 
> If you try hard enough, there are ways to use just about anything
> insecurely.
> 
>  
> 
> In the XSS Cheatsheet
> <https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>,
> Rule 0 is probably the most important…. “Never Insert Untrusted Data
> Except in Allowed Locations”.   I just updated it with a note to avoid
> “nested contexts”
> 
>  
> 
> --Jeff
> 
>  
> 
>  
> 
> *From:*Chris Schmidt [mailto:chris.schmidt at owasp.org]
> *Sent:* Monday, June 20, 2011 5:39 PM
> *To:* Matthew Presson
> *Cc:* Jeff Williams; esapi-user at lists.owasp.org
> *Subject:* Re: [Esapi-user] Tricky encoding question
> 
>  
> 
> Best solution yet. :)
> 
> On 6/20/2011 3:21 PM, Matthew Presson wrote:
> 
> Thank you all for your responses.
> 
>  
> 
> As an aside, I was able to recommend a "better way" to write the above
> code so as not to require the double encoding.
> 
>  
> 
> Original:
> 
> <a HREF=""
> onClick="window.open('http://www.example.com/app/page.jsp?param1=a&param2=b&param3=
> <http://www.example.com/app/page.jsp?param1=a&param2=b&param3=><%=request.getParameter("test")%>',
> 'windowRef', '
> resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
> return false;">link text</a>
> 
>  
> 
> "Better" version:
> 
>     <a
>     href="http://www.example.com/app/page.jsp?param1=a&param2=b&param3=
>     <http://www.example.com/app/page.jsp?param1=a&param2=b&param3=><%=
>     outputEncoder.encodeForURL(request.getParameter("test")) %>"
>     target="_blank" onclick="window.open(this.href,
>     this.target,'resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
>     return false">
> 
>  
> 
> Matt 
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user



More information about the Esapi-user mailing list