[Esapi-user] Which encoding to use when untrusted data goes through both javascript and html ?
Chris Schmidt
chrisisbeef at gmail.com
Mon May 23 23:47:23 EDT 2011
You will want to use the correct encoding for where you are actually
using the data. So:
<input type='button' onclick='changeText(<=%
ESAPI.encoder().encodeForJavascript(get_data()) %>)' value='Change Text'/>
and
function
changeText(my_data){ document.getElementById('boldStuff').innerText =
my_data;
}
would work fine. :)
You could also use jq-encoder to address this in your javascript function:
function changeText(my_data) { $('#boldStuff').html(
$.encoder.forHtml(my_data) ); }
On 5/23/2011 8:55 PM, Samir Kelekar wrote:
> This is my first post, so please excuse me in case there are any errors.
> Consider the following .jsp sample. Not tested so there might be some
> mistake.
>
> <p>Welcome to the site <b id='boldStuff'>dude</b> </p>
> <input type='button' onclick='changeText(<=% get_data() %>)'
> value='Change Text'/>
> <script type="text/javascript">
> function
> changeText(my_data){ document.getElementById('boldStuff').innerHTML =
> my_data;
> }
> </script>
>
> Here get_data is a function that brings untrusted input.
> It goes into a javascript so needs to be encoded for Javascript.
> But then it is alloted to an html element later using innerHTM, so it
> needs to be encoded for html.
> Which one to choose ?
> If one chooses say javascript encoding only, what will happen if
> get_data() returns
> <script> alert() </script>
> and if the one encoodes only for html, what will happen if
> the get_data () returns
> alert()
> Any advice will be much appreciated.
> regards,
> Samir
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110523/95ef2b5b/attachment.html
More information about the Esapi-user
mailing list