[OWASP-ESAPI] JavaScript Encoding and Event Attributes

Jeremy Long jeremy.long at gmail.com
Fri Apr 3 16:35:32 EDT 2009

I have been playing around with the different encoders in the ESAPI and I am
curious about one decision.  As I hope everyone knows any data written into
an HTML Event Attribute, such as onclick, will be HTML de-coded prior to
being passed to the JavaScript Interpreter.  Thus, HTMLAttributeEncoding is
only partially effective when dealing with event attributes.  To deal with
dynamic content within HTML Event attributes you would have to first
JavaScript encode it - and then HTMLAttributeEncode the data.

However, what about just JavaScript encoding data that goes into the an HTML
Event Handler?  Would this work?  Take for instance the following JSP code:

 <a href="#" onclick="doSomething('<%= e.encodeForJavaScript("\",
href=woot.jsp") %>')"  > click me</a>

The HTML generated would look like:

<a onclick="doSomething('\", href\x3Dwoot.jsp')">click me </a>

Because the HTML Parser executes prior to passing any data to the JavaScript
Interpreter we end up with a broken page.  Because the only code in the
onClick event is "doSomething('\".  Nothing else appears to be passed to the
JavaScript engine.  As such, we can effectively break the page because the
JavaScript encoding converts single and double quotes to \' and \"
respectively instead of their hexadecimal representation \x27 and \x22.
Someone smarter then myself may be able to figure out a way to execute
something malicious if only JavaScript encoding was used in an event
attribute - but I haven't been able to come up with anything other then
breaking the page.

However, unless I am mistaken - if the JavaScript encoding used the hex
values for ' and " you could use the ESAPI's JavaScript encoding by itself
to protect event handlers.  I would love to know if I am wrong about this...

Was there a reason for using the escaped \' and \" instead of the hex
encoded versions?  Using the numeric values might make it easier to safely
encode data in Event Attributes and not require two different encoding

Thoughts?  Comments?

Jeremy Long
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090403/fae25b12/attachment.html 

More information about the OWASP-ESAPI mailing list