This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 ContextEncJscriptParams"
From OWASP
| Line 18: | Line 18: | ||
ESAPI javascript escaping can be call in this manner: | ESAPI javascript escaping can be call in this manner: | ||
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) ); | String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) ); | ||
| + | |||
| + | '''Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!''' | ||
| + | |||
| + | For example: | ||
| + | |||
| + | <script> | ||
| + | window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'); | ||
| + | </script> | ||
Revision as of 13:16, 21 October 2013
Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.
Examples of exploitation points (sinks) which are worth reviewing for:
<script>var currentValue='UNTRUSTED DATA';</script>
<script>someFunction('UNTRUSTED DATA');</script>
attack: ');/* BAD STUFF */
Potential solutions:
OWASP HTML sanatiser Project
OWASP JSON Sanitizer Project
ESAPI javascript escaping can be call in this manner:
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
Please note there are some JavaScript functions that can never safely use untrusted data as input - EVEN IF JAVASCRIPT ESCAPED!
For example:
<script>
window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');
</script>
