<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#ffffff">
    I agree in principle, but I also think using the least amount of
    encoding simplifies the process - so I think the best course of
    action is to start with URL encoding - then throw some tests at it,
    run it through the gambit of javascript xss vectors and if need be
    apply the next layer of encoding. <br>
    <br>
    Good testing and good validation/sanitization are key here as well.<br>
    <br>
    On 6/20/2011 2:31 PM, Jeff Williams wrote:
    <blockquote
cite="mid:B9A412898630124ABE8350F4EBD32E8401A010F3@mymail.aspectsecurity.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
span.apple-style-span
        {mso-style-name:apple-style-span;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:"Consolas","serif";
        color:black;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span style="font-size: 11pt; font-family:
            &quot;Calibri&quot;,&quot;sans-serif&quot;; color: rgb(31,
            73, 125);">I’ve always thought that the *<b>correct</b>* way
            to handle these nested encoding contexts is to use multiple
            encoding schemes – carefully!!  But I haven’t done extensive
            testing necessary to figure out exactly how to deal with all
            the possible nested encoding contexts.<o:p></o:p></span></p>
        <div>
          <p class="MsoNormal"><span style="font-size: 11pt;
              font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;;
              color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
          <p class="MsoNormal"><span style="font-size: 11pt;
              font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;;
              color: rgb(31, 73, 125);">--Jeff<o:p></o:p></span></p>
          <p class="MsoNormal"><span style="font-size: 11pt;
              font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;;
              color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
        </div>
        <p class="MsoNormal"><span style="font-size: 11pt; font-family:
            &quot;Calibri&quot;,&quot;sans-serif&quot;; color: rgb(31,
            73, 125);"><o:p> </o:p></span></p>
        <div>
          <div style="border-right: medium none; border-width: 1pt
            medium medium; border-style: solid none none; border-color:
            rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color;
            padding: 3pt 0in 0in;">
            <p class="MsoNormal"><b><span style="font-size: 10pt;
                  font-family:
                  &quot;Tahoma&quot;,&quot;sans-serif&quot;; color:
                  windowtext;">From:</span></b><span style="font-size:
                10pt; font-family:
                &quot;Tahoma&quot;,&quot;sans-serif&quot;; color:
                windowtext;"> <a class="moz-txt-link-abbreviated" href="mailto:esapi-user-bounces@lists.owasp.org">esapi-user-bounces@lists.owasp.org</a>
                [<a class="moz-txt-link-freetext" href="mailto:esapi-user-bounces@lists.owasp.org">mailto:esapi-user-bounces@lists.owasp.org</a>] <b>On
                  Behalf Of </b>Chris Schmidt<br>
                <b>Sent:</b> Monday, June 20, 2011 4:27 PM<br>
                <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:esapi-user@lists.owasp.org">esapi-user@lists.owasp.org</a><br>
                <b>Subject:</b> Re: [Esapi-user] Tricky encoding
                question<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal">Couple of things - always use the context
          that most closely matches where you are outputting the data -
          in this case, the data is a URL and thus url encoding should
          be used. However, as you mentioned, the data is in a
          javascript parameter (jsdata) context, so ideally you would
          want to ensure that there are no unescaped javascript
          terminators in your output as well. Without writing some test
          cases, I am not 100% sure - but I imagine that URL encoding
          along would also encode the relevant javascript terminators ",
          ' which would eliminate the possibility of the user being able
          to break context from the javascript parameter string. <br>
          <br>
          That being said, and moving on to your point of "blah&amp;a=b"
          - this should absolutely be verboten as it opens up a slew of
          parameter injection and override possibilities for an attacker
          to play with. <br>
          <br>
          <br>
          <br>
          On 6/20/2011 8:33 AM, Matthew Presson wrote: <o:p></o:p></p>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">I
              have come across a scenario in an application and would
              like some advice on the subject of applying the proper
              encoding.  <o:p></o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Scenario:<o:p></o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">A
              developer is taking user input and using it to dynamically
              construct an URL which is used in an onClick event handler
              of an &lt;a&gt; tag.  The code (JSP) looks similar to
              this:<o:p></o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <blockquote style="border-width: medium medium medium 1pt;
          border-style: none none none solid; border-color:
          -moz-use-text-color -moz-use-text-color -moz-use-text-color
          rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left:
          4.8pt; margin-right: 0in;">
          <div>
            <p class="MsoNormal"><span style="font-size: 10pt;
                font-family: &quot;Courier New&quot;;">&lt;a HREF=""<br>
                onClick="window.open('<a moz-do-not-send="true"
href="http://www.example.com/app/page.jsp?param1=a&amp;param2=b&amp;param3="
                  target="_blank"><span style="color: rgb(28, 81, 168);">http://www.example.com/app/page.jsp?param1=a&amp;param2=b&amp;param3=</span></a>&lt;%=request.getParameter("test")%&gt;',
                'windowRef', '</span><span style="font-size: 10pt;
                font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p></o:p></span></p>
          </div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Courier New&quot;;">resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
              return false;"&gt;link text&lt;/a&gt;</span><span
              style="font-size: 10pt; font-family:
              &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p></o:p></span></p>
        </blockquote>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">As
              you can see, param3 is vulnerable to XSS.  The tricky part
              is that the data is being used to form a URL (URL Context)
              but from within a JavaScript event handler (JavaScript
              Context). <o:p></o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <p class="MsoNormal"><span class="apple-style-span"><span
              style="font-size: 10pt; font-family:
              &quot;Arial&quot;,&quot;sans-serif&quot;;">The question is
              - Which of the following encoding strategies would be the
              right one to use? </span><o:p></o:p></span></p>
        <div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Option
              1: Only use URL encoding<o:p></o:p></span></p>
        </div>
        <blockquote style="border-width: medium medium medium 1pt;
          border-style: none none none solid; border-color:
          -moz-use-text-color -moz-use-text-color -moz-use-text-color
          rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left:
          4.8pt; margin-right: 0in;">
          <div>
            <p class="MsoNormal"><span style="font-size: 10pt;
                font-family: &quot;Courier New&quot;;">&lt;a HREF=""<br>
                onClick="window.open('<a moz-do-not-send="true"
href="http://www.example.com/app/page.jsp?param1=a&amp;param2=b&amp;param3="
                  target="_blank"><span style="color: rgb(28, 81, 168);">http://www.example.com/app/page.jsp?param1=a&amp;param2=b&amp;param3=</span></a>&lt;%=
                OutputEncoder.encodeForURL(request.getParameter("test"))
                %&gt;', 'windowRef', '</span><span style="font-size:
                10pt; font-family:
                &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p></o:p></span></p>
          </div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Courier New&quot;;">resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
              return false;"&gt;link text&lt;/a&gt;</span><span
              style="font-size: 10pt; font-family:
              &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p></o:p></span></p>
        </blockquote>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">This
              option appears to work well, but are still in a JavaScript
              context and are unsure if there would still be attack
              strings that would allow for a successful XSS attack.<o:p></o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Option
              2: Only use JavaScript encoding:<o:p></o:p></span></p>
        </div>
        <div>
          <blockquote style="border-width: medium medium medium 1pt;
            border-style: none none none solid; border-color:
            -moz-use-text-color -moz-use-text-color -moz-use-text-color
            rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left:
            4.8pt; margin-right: 0in;">
            <p class="MsoNormal"><span style="font-size: 10pt;
                font-family: &quot;Courier New&quot;;">&lt;a HREF=""<br>
                onClick="window.open('<a moz-do-not-send="true"
href="http://www.example.com/app/page.jsp?param1=a&amp;param2=b&amp;param3="
                  target="_blank"><span style="color: rgb(28, 81, 168);">http://www.example.com/app/page.jsp?param1=a&amp;param2=b&amp;param3=</span></a>&lt;%=
                OutputEncoder.encodeForJavaScript(request.getParameter("test"))
                %&gt;', 'windowRef', '<br>
                resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
                return false;"&gt;link text&lt;/a&gt;</span><span
                style="font-size: 10pt; font-family:
                &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p></o:p></span></p>
          </blockquote>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">This
              option works from a security standpoint, but breaks in
              scenarios where the value of the parameter <i>test</i> is
              supposed to equal "blah&amp;a=b".  When using only
              JavaScript encoding, page.jsp would read the value of
              param3 as blah and have an extra parameter named a with
              the value b instead of having the value of param3 equal
              blah&amp;a=b which ultimately results in a functional
              defect.<o:p></o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Option
              3: Double encode using URL AND JavaScript encoding<o:p></o:p></span></p>
        </div>
        <blockquote style="border-width: medium medium medium 1pt;
          border-style: none none none solid; border-color:
          -moz-use-text-color -moz-use-text-color -moz-use-text-color
          rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin-left:
          4.8pt; margin-right: 0in;">
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Courier New&quot;;">&lt;a HREF=""<br>
              onClick="window.open('<a moz-do-not-send="true"
href="http://www.example.com/app/page.jsp?param1=a&amp;param2=b&amp;param3="
                target="_blank"><span style="color: rgb(28, 81, 168);">http://www.example.com/app/page.jsp?param1=a&amp;param2=b&amp;param3=</span></a>&lt;%=
              OutputEncoder.encodeForJavaScript(OutputEncoder.encodeForURL(request.getParameter("test")))
              %&gt;', 'windowRef', '<br>
              resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
              return false;"&gt;link text&lt;/a&gt;</span><span
              style="font-size: 10pt; font-family:
              &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p></o:p></span></p>
        </blockquote>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">This
              seems to also work, but am not sure about recommending a
              double-encoding strategy.  For one, it adds another level
              of complexity that could potentially lead to problems down
              the road.  Secondly, isn't double-encoding usually frowned
              upon as a solution? <o:p></o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Please
              let me know if any of this does not make sense, or if I
              can provide you with any additional information.<o:p></o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;"><o:p> </o:p></span></p>
        </div>
        <div>
          <p class="MsoNormal"><span style="font-size: 10pt;
              font-family: &quot;Arial&quot;,&quot;sans-serif&quot;;">Thanks, <br>
              Matt<o:p></o:p></span></p>
        </div>
        <pre><o:p> </o:p></pre>
        <pre><o:p> </o:p></pre>
        <pre>_______________________________________________<o:p></o:p></pre>
        <pre>Esapi-user mailing list<o:p></o:p></pre>
        <pre><a moz-do-not-send="true" href="mailto:Esapi-user@lists.owasp.org">Esapi-user@lists.owasp.org</a><o:p></o:p></pre>
        <pre><a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/esapi-user">https://lists.owasp.org/mailman/listinfo/esapi-user</a><o:p></o:p></pre>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
    </blockquote>
    <br>
  </body>
</html>