This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
CRV2 ContextEncJscriptParams
From OWASP
Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.
Examples of exploitation points (sinks) which are worth reviewing for:
<script>var currentValue='UNTRUSTED DATA';</script> <script>someFunction('UNTRUSTED DATA');</script> attack: ');/* BAD STUFF */
Potential solutions: