[OWASP-ESAPI] JavaScript Encoding and Event Attributes

Jeff Williams jeff.williams at owasp.org
Mon Apr 6 12:07:50 EDT 2009

Hi Jeremy,


You're exactly right about what's going on here.  We changed the JavaScript
codec to use hex encoding for everything  back in December.




We're in a push to get the next version built and out the door in a few





From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jeremy Long
Sent: Friday, April 03, 2009 4:36 PM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] JavaScript Encoding and Event Attributes


I have been playing around with the different encoders in the ESAPI and I am
curious about one decision.  As I hope everyone knows any data written into
an HTML Event Attribute, such as onclick, will be HTML de-coded prior to
being passed to the JavaScript Interpreter.  Thus, HTMLAttributeEncoding is
only partially effective when dealing with event attributes.  To deal with
dynamic content within HTML Event attributes you would have to first
JavaScript encode it - and then HTMLAttributeEncode the data.


However, what about just JavaScript encoding data that goes into the an HTML
Event Handler?  Would this work?  Take for instance the following JSP code:


<a href="#" onclick="doSomething('<%= e.encodeForJavaScript("\",
href=woot.jsp") %>')"  > click me</a>

The HTML generated would look like:

<a onclick="doSomething('\", href\x3Dwoot.jsp')">click me </a>

Because the HTML Parser executes prior to passing any data to the JavaScript
Interpreter we end up with a broken page.  Because the only code in the
onClick event is "doSomething('\".  Nothing else appears to be passed to the
JavaScript engine.  As such, we can effectively break the page because the
JavaScript encoding converts single and double quotes to \' and \"
respectively instead of their hexadecimal representation \x27 and \x22.
Someone smarter then myself may be able to figure out a way to execute
something malicious if only JavaScript encoding was used in an event
attribute - but I haven't been able to come up with anything other then
breaking the page.


However, unless I am mistaken - if the JavaScript encoding used the hex
values for ' and " you could use the ESAPI's JavaScript encoding by itself
to protect event handlers.  I would love to know if I am wrong about this...


Was there a reason for using the escaped \' and \" instead of the hex
encoded versions?  Using the numeric values might make it easier to safely
encode data in Event Attributes and not require two different encoding


Thoughts?  Comments?


Jeremy Long

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090406/f0aa8686/attachment.html 

More information about the OWASP-ESAPI mailing list