This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 ContextEncJscriptParams"
From OWASP
(Created page with "Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the cod...") |
|||
| Line 4: | Line 4: | ||
'''Examples of exploitation points (sinks) which are worth reviewing for:''' | '''Examples of exploitation points (sinks) which are worth reviewing for:''' | ||
| − | <script>var currentValue='UNTRUSTED DATA';</script> | + | <script>var currentValue=''''UNTRUSTED DATA'''';</script> |
| − | <script>someFunction('UNTRUSTED DATA');</script> | + | <script>someFunction(''''UNTRUSTED DATA'''');</script> |
| − | attack: ');/* BAD STUFF */ | + | attack: ');'''/* BAD STUFF */''' |
Revision as of 13:11, 21 October 2013
Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.
Examples of exploitation points (sinks) which are worth reviewing for:
<script>var currentValue='UNTRUSTED DATA';</script>
<script>someFunction('UNTRUSTED DATA');</script>
attack: ');/* BAD STUFF */
Potential solutions:
