[Esapi-user] Which encoding to use when untrusted data goes through both javascript and html ?

Samir Kelekar samir_kelekar at yahoo.com
Tue May 24 10:20:57 EDT 2011

Thanks much for your answer. It is very illuminating.
What you seem to be saying is that one may have to use a non-ESAPI encoder if 
the data goes through
two different types of executors, in this case javascript and html. And you are 
using an html construct
called innerText, which does the job of an html encoder. What if the data had to 
go into an html attribute
instead ? I dont know if there is an html construct for that. The second option 
you have suggested is the
use of another software.

Also, I see that some encodings have to be done on the client side which is 
beyond ESAPI which works
only on the server side.

I have another example on which similar confusion persists. Appreciate comments 
if possible.
It is an Ajax example. This has been tested though not exactly the same code.


<div id="productDetails"> 

<input type='button' onclick="javascript:getList('0')" value='Change Text'/>
<script type="text/javascript">

function getList(index)
var xmlhttp;
if (window.XMLHttpRequest)
  {// code for IE7+, Firefox, Chrome, Opera, Safari
  xmlhttp=new XMLHttpRequest();
  {// code for IE6, IE5
  xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
  if (xmlhttp.readyState==4 && xmlhttp.status==200)
xmlhttp.open("GET","" + Math.random(),true);

Basically, on pressing the button it gets data from test5.jsp and then uses 
innerHTML to assign the
data. Test5.jsp contains html with a variable which is sourced using a java call 
and which is populated
in an html element.

The relevant parts of test5.jsp looks like this:

<td> <%=Details.getDesc() %> </td>

My question is : should the Details.getDesc which is untrusted input be encoded 
for html or for
javascript ?

Obviously it will finally go in as an html element  but since it goes into 
which is in a javascript, shouldnt it be encoded for javascript first ?

Thanks for your time / comments.




From: Chris Schmidt <chrisisbeef at gmail.com>
To: esapi-user at lists.owasp.org
Sent: Tue, May 24, 2011 9:17:23 AM
Subject: Re: [Esapi-user] Which encoding to use when untrusted data goes through 
both javascript and html ?

You will want to use the correct encoding for where you are actually using the 
data. So:

<input type='button' onclick='changeText(<=% 
ESAPI.encoder().encodeForJavascript(get_data()) %>)' value='Change Text'/>

function changeText(my_data){ document.getElementById('boldStuff').innerText = 

would work fine. :)

You could also use jq-encoder to address this in your javascript function:

function changeText(my_data) { $('#boldStuff').html( $.encoder.forHtml(my_data) 
); }

On 5/23/2011 8:55 PM, Samir Kelekar wrote: 
This is my first post, so please excuse me in case there are any errors.
>Consider the following .jsp sample. Not tested so there might be some mistake.
><p>Welcome to the site <b id='boldStuff'>dude</b> </p>
><input type='button' onclick='changeText(<=% get_data() %>)' value='Change 
><script type="text/javascript">
>function changeText(my_data){ document.getElementById('boldStuff').innerHTML = 
>Here get_data is a function that brings untrusted input.
>It goes into a javascript so needs to be encoded for Javascript.
>But then it is alloted to an html element later using innerHTM, so it needs to 
>be encoded for html.
>Which one to choose ?
>If one chooses say javascript encoding only, what will happen if get_data() 
><script> alert() </script>
>and if the one encoodes only for html, what will happen if the get_data () 
>Any advice will be much appreciated.
> _______________________________________________ Esapi-user mailing list 
>Esapi-user at lists.owasp.org https://lists.owasp.org/mailman/listinfo/esapi-user 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110524/536a18a6/attachment.html 

More information about the Esapi-user mailing list