[OWASP-ESAPI] ESAPI JavaScript encoding and spaces?

Jim Manico jim.manico at owasp.org
Wed Apr 1 21:33:56 EDT 2009


> Anybody interested in dancing with the devil? (encodeForJavascriptQuotedString)

I will have the first version of this done and checked in by weeks end. It's easy - I'll steal your current js encoder and slightly modify.

I think that if all we had in ESAPI was the encoding library, that alone would be enough to stop the vast majority of real world problems. The rest is gravy. =) 

- Jim
  ----- Original Message ----- 
  From: Jeff Williams 
  To: 'Jim Manico' ; owasp-esapi at lists.owasp.org 
  Sent: Wednesday, April 01, 2009 3:30 PM
  Subject: RE: [OWASP-ESAPI] ESAPI JavaScript encoding and spaces?


  Here's why.

   

      Javascript event handlers can be terminated with a space.  Like onmouseover=[user input here]

   

  I wrote these escaping routines before I wrote http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet (which a senior architect at a financial firm recently called "the best actionable write up on XSS prevention that I've ever read.  This paper, in combination with ESAPI filters, gives people a real path to follow, rather than just vague mumbling about how hard it is.").

   

  Anyway, we need to update the ESAPI escaping routines to match.  I think a method called "encodeForJavascriptQuotedString" would make sense.

   

  Anybody interested in dancing with the devil?

   

  --Jeff

   

  From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
  Sent: Wednesday, April 01, 2009 7:53 PM
  To: owasp-esapi at lists.owasp.org
  Subject: [OWASP-ESAPI] ESAPI JavaScript encoding and spaces?

   

  Jeff,

   

  Why are you encoding spaces in the JavaScript encoding routine?

   

  It does not seem necessary in any modern browser, as long as your data is properly quoted during assignment.

   

  I would love a configurable version that lets me turn off space encoding for javascript encoding.  But that is just my tactical need - what is the right way overall?

   

  - Jim

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090401/8542b364/attachment-0001.html 


More information about the OWASP-ESAPI mailing list