[Owasp-java-encoder-project] Link Injection
jeremy.long at gmail.com
Tue Oct 22 01:05:01 UTC 2013
Please provide a more specific example of what you want to do. Encoding for
content into links can be complicated; especially if you are allowing the
events. But I completely understand that not everyone gets to start green
field and build an application that can fully utilize CSP.
Consider looking at the DOM Based XSS cheatsheet's complex contexts:
protocol you have to understand that the browser will first HTML Attribute
then URL decode the data after the colon, and pass this data to the
to follow the guidance from Romain Goucher @ Coverity and utilize
nested/layered encoding (
Or if you are using a robust encoder, which I believe the Java Encoder
on the fact that the dynamic data is wrapped in quotes).
Hopefully that helps, if not please provide a more specific example
(including the location of the dynamic data you want to write out).
On Mon, Oct 21, 2013 at 4:43 PM, Weaver, Aaron <aaron.weaver at pearson.com>wrote:
> Quick question: What method do you recommend to encode for link injection?
> For example:
> Owasp-java-encoder-project mailing list
> Owasp-java-encoder-project at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-java-encoder-project