This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 ContextEncJscriptParams"
From OWASP
| Line 26: | Line 26: | ||
window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'); | window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'); | ||
</script> | </script> | ||
| + | |||
| + | |||
| + | var txtField = "A1"; | ||
| + | var txtUserInput = "'[email protected]';'''alert(1);'''"; | ||
| + | '''eval'''( "document.forms[0]." + txtField + ".value =" + A1); | ||
Revision as of 13:21, 21 October 2013
Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.
Examples of exploitation points (sinks) which are worth reviewing for:
<script>var currentValue='UNTRUSTED DATA';</script>
<script>someFunction('UNTRUSTED DATA');</script>
attack: ');/* BAD STUFF */
Potential solutions:
OWASP HTML sanatiser Project
OWASP JSON Sanitizer Project
ESAPI javascript escaping can be call in this manner:
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!
For example:
<script>
window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');
</script>
var txtField = "A1";
var txtUserInput = "'[email protected]';alert(1);";
eval( "document.forms[0]." + txtField + ".value =" + A1);
