Difference between revisions of "CRV2 ContextEncHTMLEntity"

From OWASP
Jump to: navigation, search
Line 21: Line 21:
 
It is recommended to review where/if untrusted data is placed within entity objects.
 
It is recommended to review where/if untrusted data is placed within entity objects.
 
searching the source code fro teh followign encoders may help establish if HTML entity encoding is being done in the application and in a consistant manner. <br>
 
searching the source code fro teh followign encoders may help establish if HTML entity encoding is being done in the application and in a consistant manner. <br>
 
    String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );
 
 
 
'''OWASP Java Encoder Project'''<br>
 
'''OWASP Java Encoder Project'''<br>
 
[https://www.owasp.org/index.php/OWASP_Java_Encoder_Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project]
 
[https://www.owasp.org/index.php/OWASP_Java_Encoder_Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project]
Line 31: Line 28:
 
'''OWASP ESAPI''' <br>
 
'''OWASP ESAPI''' <br>
 
[http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java]
 
[http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java]
 +
 +
 +
    String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );

Revision as of 10:43, 3 October 2013

HTML elements which contain user controlled data or data from untrusted sourced should be reviewed for contextual output encoding. In the case of HTML entities we need to help ensure HTML Entity Encoding is perfromed:

Example HTML Entity containing untrusted data:

   HTML Body Context
   
   <span>UNTRUSTED DATA</span>
   OR
   <body>...UNTRUSTED DATA </body>
   OR
   <div>UNTRUSTED DATA </div>
   

HTML Entity Encoding is required

   & --> &amp;
   < --> &lt;
   > --> &gt;
   " --> &quot;
   ' --> &#x27;

It is recommended to review where/if untrusted data is placed within entity objects. searching the source code fro teh followign encoders may help establish if HTML entity encoding is being done in the application and in a consistant manner.
OWASP Java Encoder Project
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

   <input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />
   

OWASP ESAPI
http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java


   String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );