CRV2 ContextEncJscriptParams
From OWASP
Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.
Examples of exploitation points (sinks) which are worth reviewing for:
<script>var currentValue='UNTRUSTED DATA';</script>
<script>someFunction('UNTRUSTED DATA');</script>
attack: ');/* BAD STUFF */
Potential solutions:
OWASP HTML sanatiser Project
OWASP JSON Sanitizer Project
ESAPI javascript escaping can be call in this manner:
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!
For example:
<script>
window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');
</script>
eval()
var txtField = "A1";
var txtUserInput = "'[email protected]';alert(1);";
eval( "document.forms[0]." + txtField + ".value =" + A1);
jquery
var txtAlertMsg = "Hello World: ";
var txtUserInput = "test<script>alert(1)<\/script>";
$("#message").html( txtAlertMsg +"" + txtUserInput + "");
Safe usage (use text, not html)
$("#userInput").text( "test<script>alert(1)<\/script>");<-- treat user input as text
