[OWASP-ESAPI] ESAPI JavaScript encoding and spaces?

Jeff Williams jeff.williams at owasp.org
Wed Apr 1 21:30:05 EDT 2009


Here's why.

 

    Javascript event handlers can be terminated with a space.  Like
onmouseover=[user input here]

 

I wrote these escaping routines before I wrote
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_S
heet (which a senior architect at a financial firm recently called "the best
actionable write up on XSS prevention that I've ever read.  This paper, in
combination with ESAPI filters, gives people a real path to follow, rather
than just vague mumbling about how hard it is.").

 

Anyway, we need to update the ESAPI escaping routines to match.  I think a
method called "encodeForJavascriptQuotedString" would make sense.

 

Anybody interested in dancing with the devil?

 

--Jeff

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, April 01, 2009 7:53 PM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] ESAPI JavaScript encoding and spaces?

 

Jeff,

 

Why are you encoding spaces in the JavaScript encoding routine?

 

It does not seem necessary in any modern browser, as long as your data is
properly quoted during assignment.

 

I would love a configurable version that lets me turn off space encoding for
javascript encoding.  But that is just my tactical need - what is the right
way overall?

 

- Jim

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090401/304bb6c3/attachment.html 


More information about the OWASP-ESAPI mailing list