[Esapi-user] Which encoding to use when untrusted data goes through both javascript and html ?

Chris Schmidt chris.schmidt at owasp.org
Tue May 24 11:55:50 EDT 2011


Glad you found it helpful, however - that is not what I am saying at all :)

JQuery-Encoder is absolutely an ESAPI encoder, only it is a javascript 
implementation rather than a Java one, which for the purposes of your 
example below is what you are in need of. I also illustrate in the first 
example the use of *innerText* as opposed to *innerHTML* which in itself 
will protect you from injection attacks for your scenario.

The point I am making is that the data should be encoded for where it is 
*currently* being used. So when it is being used in a javascript 
context, it should be encoded for JS - when being used in Html between 
two tags, encoded for HTML, etc.

There is no rule that states that a piece of data is encoded once, and 
that is it - you apply *output* encoding at the last possible stage 
where you are actually *outputting* the data :)

Hope this helps.



On 5/24/2011 8:20 AM, Samir Kelekar wrote:
> Thanks much for your answer. It is very illuminating.
> What you seem to be saying is that one may have to use a non-ESAPI 
> encoder if the data goes through
> two different types of executors, in this case javascript and html. 
> And you are using an html construct
> called innerText, which does the job of an html encoder. What if the 
> data had to go into an html attribute
> instead ? I dont know if there is an html construct for that. The 
> second option you have suggested is the
> use of another software.
> Also, I see that some encodings have to be done on the client side 
> which is beyond ESAPI which works
> only on the server side.
> I have another example on which similar confusion persists. Appreciate 
> comments if possible.
> It is an Ajax example. This has been tested though not exactly the 
> same code.
> -----------------------------------------------------------------------------------------------------
> <html>
> <body>
> <div id="productDetails">
> <input type='button' onclick="javascript:getList('0')" value='Change 
> Text'/>
> </div>
> </body>
> <script type="text/javascript">
>
> function getList(index)
> {
>
> var xmlhttp;
> if (window.XMLHttpRequest)
>   {// code for IE7+, Firefox, Chrome, Opera, Safari
>   xmlhttp=new XMLHttpRequest();
>   }
> else
>   {// code for IE6, IE5
>   xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
>   }
> xmlhttp.onreadystatechange=function()
>   {
>   if (xmlhttp.readyState==4 && xmlhttp.status==200)
>     {
>
>
>     
> document.getElementById("productDetails").innerHTML=xmlhttp.responseText;
>
>     }
>   }
> xmlhttp.open("GET","http://127.0.0.1/test5.jsp?t=" + Math.random(),true);
> xmlhttp.send();
>
> }
> ---------------------------------------------------------------------------------------------
> Basically, on pressing the button it gets data from test5.jsp and then 
> uses innerHTML to assign the
> data. Test5.jsp contains html with a variable which is sourced using a 
> java call and which is populated
> in an html element.
> The relevant parts of test5.jsp looks like this:
> <td> <%=Details.getDesc() %> </td>
> My question is : should the Details.getDesc which is untrusted input 
> be encoded for html or for
> javascript ?
> Obviously it will finally go in as an html element  but since it goes 
> into xmlhttp.responseText
> which is in a javascript, shouldnt it be encoded for javascript first ?
> Thanks for your time / comments.
> regards,
> Samir
> ------------------------------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> *From:* Chris Schmidt <chrisisbeef at gmail.com>
> *To:* esapi-user at lists.owasp.org
> *Sent:* Tue, May 24, 2011 9:17:23 AM
> *Subject:* Re: [Esapi-user] Which encoding to use when untrusted data 
> goes through both javascript and html ?
>
> You will want to use the correct encoding for where you are actually 
> using the data. So:
>
> <input type='button' onclick='changeText(<=% 
> ESAPI.encoder().encodeForJavascript(get_data()) %>)' value='Change Text'/>
>
> and
>
> function 
> changeText(my_data){ document.getElementById('boldStuff').innerText = 
> my_data;
> }
>
> would work fine. :)
>
> You could also use jq-encoder to address this in your javascript function:
>
> function changeText(my_data) { $('#boldStuff').html( 
> $.encoder.forHtml(my_data) ); }
>
>
> On 5/23/2011 8:55 PM, Samir Kelekar wrote:
>> This is my first post, so please excuse me in case there are any errors.
>> Consider the following .jsp sample. Not tested so there might be some 
>> mistake.
>>
>> <p>Welcome to the site <b id='boldStuff'>dude</b> </p>
>> <input type='button' onclick='changeText(<=% get_data() %>)' 
>> value='Change Text'/>
>> <script type="text/javascript">
>> function 
>> changeText(my_data){ document.getElementById('boldStuff').innerHTML = 
>> my_data;
>> }
>> </script>
>>
>> Here get_data is a function that brings untrusted input.
>> It goes into a javascript so needs to be encoded for Javascript.
>> But then it is alloted to an html element later using innerHTM, so it 
>> needs to be encoded for html.
>> Which one to choose ?
>> If one chooses say javascript encoding only, what will happen if 
>> get_data() returns
>> <script> alert() </script>
>> and if the one encoodes only for html, what will happen if 
>> the get_data () returns
>> alert()
>> Any advice will be much appreciated.
>> regards,
>> Samir
>>
>>
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110524/ae055f73/attachment.html 


More information about the Esapi-user mailing list