[Owasp-java-encoder-project] Link Injection

Jeremy Long jeremy.long at gmail.com
Tue Oct 22 01:05:01 UTC 2013


Aaron,

Please provide a more specific example of what you want to do. Encoding for
content into links can be complicated; especially if you are allowing the
javascript protocol. My recommendation would be to completely avoid inline
script (i.e. the javascript protocol and all of the onclick, onerror, etc.
attributes). Instead utilize external JavaScript and hook the necessary
events. But I completely understand that not everyone gets to start green
field and build an application that can fully utilize CSP.

Consider looking at the DOM Based XSS cheatsheet's complex contexts:
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet#Complex_Contexts

If you are actually putting dynamic data into an href using the javascript
protocol you have to understand that the browser will first HTML Attribute
decode the entire URL, determine that it is using the javascript protocol,
then URL decode the data after the colon, and pass this data to the
JavaScript interpreter. So depending on your encoding library you may want
to follow the guidance from Romain Goucher @ Coverity and utilize
nested/layered encoding (
https://communities.coverity.com/blogs/security/2012/11/05/using-the-coverity-security-library-with-guidance-from-security-advisor).
Or if you are using a robust encoder, which I believe the Java Encoder
Project is, you could just use the JavaScript encoding (depending of course
on the fact that the dynamic data is wrapped in quotes).

Hopefully that helps, if not please provide a more specific example
(including the location of the dynamic data you want to write out).

--Jeremy


On Mon, Oct 21, 2013 at 4:43 PM, Weaver, Aaron <aaron.weaver at pearson.com>wrote:

> Quick question: What method do you recommend to encode for link injection?
> For example:
>
> <a href="javascript:alert(1)">click here</a>
>
> Thanks
>
> _______________________________________________
> Owasp-java-encoder-project mailing list
> Owasp-java-encoder-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-java-encoder-project/attachments/20131021/de8ed09c/attachment.html>


More information about the Owasp-java-encoder-project mailing list