jeremy.long at gmail.com
Fri Apr 3 16:35:32 EDT 2009
I have been playing around with the different encoders in the ESAPI and I am
curious about one decision. As I hope everyone knows any data written into
an HTML Event Attribute, such as onclick, will be HTML de-coded prior to
only partially effective when dealing with event attributes. To deal with
dynamic content within HTML Event attributes you would have to first
Event Handler? Would this work? Take for instance the following JSP code:
href=woot.jsp") %>')" > click me</a>
The HTML generated would look like:
<a onclick="doSomething('\", href\x3Dwoot.jsp')">click me </a>
Interpreter we end up with a broken page. Because the only code in the
onClick event is "doSomething('\". Nothing else appears to be passed to the
respectively instead of their hexadecimal representation \x27 and \x22.
Someone smarter then myself may be able to figure out a way to execute
attribute - but I haven't been able to come up with anything other then
breaking the page.
to protect event handlers. I would love to know if I am wrong about this...
Was there a reason for using the escaped \' and \" instead of the hex
encoded versions? Using the numeric values might make it easier to safely
encode data in Event Attributes and not require two different encoding
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI