[Esapi-user] Which encoding to use when untrusted data goes through both javascript and html ?

Samir Kelekar samir_kelekar at yahoo.com
Mon May 23 22:55:41 EDT 2011


This is my first post, so please excuse me in case there are any errors.
Consider the following .jsp sample. Not tested so there might be some mistake.


<p>Welcome to the site <b id='boldStuff'>dude</b> </p>
<input type='button' onclick='changeText(<=% get_data() %>)' value='Change 
Text'/>

<script type="text/javascript">
function changeText(my_data){ document.getElementById('boldStuff').innerHTML = 
my_data;
}
</script>


Here get_data is a function that brings untrusted input.
It goes into a javascript so needs to be encoded for Javascript.
But then it is alloted to an html element later using innerHTM, so it needs to 
be encoded for html.

Which one to choose ?

If one chooses say javascript encoding only, what will happen if get_data() 
returns
<script> alert() </script>

and if the one encoodes only for html, what will happen if the get_data () 
returns
alert()

Any advice will be much appreciated.

regards,
Samir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110523/7d1ba7b5/attachment.html 


More information about the Esapi-user mailing list