[Esapi-user] Which encoding to use when untrusted data goes through both javascript and html ?

Chris Schmidt chrisisbeef at gmail.com
Mon May 23 23:47:23 EDT 2011

You will want to use the correct encoding for where you are actually 
using the data. So:

<input type='button' onclick='changeText(<=% 
ESAPI.encoder().encodeForJavascript(get_data()) %>)' value='Change Text'/>


changeText(my_data){ document.getElementById('boldStuff').innerText = 

would work fine. :)

You could also use jq-encoder to address this in your javascript function:

function changeText(my_data) { $('#boldStuff').html( 
$.encoder.forHtml(my_data) ); }

On 5/23/2011 8:55 PM, Samir Kelekar wrote:
> This is my first post, so please excuse me in case there are any errors.
> Consider the following .jsp sample. Not tested so there might be some 
> mistake.
> <p>Welcome to the site <b id='boldStuff'>dude</b> </p>
> <input type='button' onclick='changeText(<=% get_data() %>)' 
> value='Change Text'/>
> <script type="text/javascript">
> function 
> changeText(my_data){ document.getElementById('boldStuff').innerHTML = 
> my_data;
> }
> </script>
> Here get_data is a function that brings untrusted input.
> It goes into a javascript so needs to be encoded for Javascript.
> But then it is alloted to an html element later using innerHTM, so it 
> needs to be encoded for html.
> Which one to choose ?
> If one chooses say javascript encoding only, what will happen if 
> get_data() returns
> <script> alert() </script>
> and if the one encoodes only for html, what will happen if 
> the get_data () returns
> alert()
> Any advice will be much appreciated.
> regards,
> Samir
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110523/95ef2b5b/attachment.html 

More information about the Esapi-user mailing list