[Esapi-user] Encoding JsonP callback parameter

Ittai Zeidman ittaiz at wix.com
Tue Sep 16 04:43:28 UTC 2014

I actually think I was too quick to respond since I’m not sure the JSON Sanitizer is the right project.

from Wikipedia: "The response to a JSONP request is not JSON and is not parsed as JSON; the returned payload can be any arbitrary JavaScript expression”.

Given the above definition I can decide to narrow down the values of the callback parameter I accept from the client to a valid JS function name.

This means I need to be able to receive an arbitrary string from the client and verify that it contains only a valid JS function name.

One option is to manually write it like so: http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html

I was hoping you would have a Encode.forJavaScriptFunctionName which encapsulates the above checks.

Would appreciate your feedback. 
Ittai Zeidman
Cell: 054-6735021
40 Hanamal street, Tel Aviv, Israel

On Tue, Sep 16, 2014 at 7:15 AM, Ittai Zeidman <ittaiz at wix.com> wrote:

> Thanks!
> Will march right over.
> Ittai Zeidman
> Cell: 054-6735021
> 40 Hanamal street, Tel Aviv, Israel
> On Mon, Sep 15, 2014 at 11:41 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
> wrote:
>> ESAPI does not support JSON encoding. I would suggest the OWASP JSON
>> Sanitizer project,
>> https://www.owasp.org/index.php/OWASP_JSON_Sanitizer.
>> -kevin
>> Sent from my Droid; please excuse typos.
>> On Sep 15, 2014 4:37 PM, "Ittai Zeidman" <ittaiz at wix.com> wrote:
>>>   Hi,
>>> I have an API which I need to develop which will use JsonP and the client
>>> will be sending me a “callback” parameter for the js function I’m
>>> outputting to.
>>> I’m trying to evaluate how to sanitize the input since I’ll be using it
>>> directly in the output but I can’t find anything in the library.
>>> I found all kinds of regex patterns to use but I’m looking for a more
>>> robust approach.
>>> Does the Esapi Encoder handle this?
>>> Ittai Zeidman
>>> Cell: 054-6735021
>>> 40 Hanamal street, Tel Aviv, Israel
>>> _______________________________________________
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140915/444bd112/attachment.html>

More information about the Esapi-user mailing list