[OWASP-ESAPI] ESAPI JavaScript encoding and spaces?

Jeff Williams jeff.williams at owasp.org
Thu Apr 2 09:38:18 EDT 2009


Jim,

 

Note that the codecs are designed to encode and decode ALL characters
according to the escaping scheme.  The Encoder class is what handles which
characters are whitelisted, and where you would add a new method.

 

--Jeff

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, April 01, 2009 9:34 PM
To: jeffl.williams at owasp.org; owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] ESAPI JavaScript encoding and spaces?

 

> Anybody interested in dancing with the devil?
(encodeForJavascriptQuotedString)

 

I will have the first version of this done and checked in by weeks end. It's
easy - I'll steal your current js encoder and slightly modify.

 

I think that if all we had in ESAPI was the encoding library, that alone
would be enough to stop the vast majority of real world problems. The rest
is gravy. =) 

 

- Jim

----- Original Message ----- 

From: Jeff Williams <mailto:jeff.williams at owasp.org>  

To: 'Jim Manico' <mailto:jim.manico at owasp.org>  ;
owasp-esapi at lists.owasp.org 

Sent: Wednesday, April 01, 2009 3:30 PM

Subject: RE: [OWASP-ESAPI] ESAPI JavaScript encoding and spaces?

 

Here's why.

 

    Javascript event handlers can be terminated with a space.  Like
onmouseover=[user input here]

 

I wrote these escaping routines before I wrote
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_S
heet (which a senior architect at a financial firm recently called "the best
actionable write up on XSS prevention that I've ever read.  This paper, in
combination with ESAPI filters, gives people a real path to follow, rather
than just vague mumbling about how hard it is.").

 

Anyway, we need to update the ESAPI escaping routines to match.  I think a
method called "encodeForJavascriptQuotedString" would make sense.

 

Anybody interested in dancing with the devil?

 

--Jeff

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, April 01, 2009 7:53 PM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] ESAPI JavaScript encoding and spaces?

 

Jeff,

 

Why are you encoding spaces in the JavaScript encoding routine?

 

It does not seem necessary in any modern browser, as long as your data is
properly quoted during assignment.

 

I would love a configurable version that lets me turn off space encoding for
javascript encoding.  But that is just my tactical need - what is the right
way overall?

 

- Jim

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090402/e17885b4/attachment.html 


More information about the OWASP-ESAPI mailing list