CRV2 ContextEncJscriptParams

From OWASP
Revision as of 13:16, 21 October 2013 by EoinKeary (talk | contribs)

Jump to: navigation, search

Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.

Examples of exploitation points (sinks) which are worth reviewing for: 

    <script>var currentValue='UNTRUSTED DATA';</script> 
    <script>someFunction('UNTRUSTED DATA');</script> 
    attack: ');/* BAD STUFF */


Potential solutions:

OWASP HTML sanatiser Project
OWASP JSON Sanitizer Project

ESAPI javascript escaping can be call in this manner: 

    String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );

Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!

For example: 

    <script>
    window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');
    </script>
Retrieved from "https://wiki.owasp.org/index.php?title=CRV2_ContextEncJscriptParams&oldid=161185"