Difference between revisions of "CRV2 ContextEncJscriptParams"

From OWASP
Jump to: navigation, search
Line 8: Line 8:
 
     attack: ');'''/* BAD STUFF */'''
 
     attack: ');'''/* BAD STUFF */'''
 
      
 
      
 +
  
  
Line 14: Line 15:
 
[https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP HTML sanatiser Project]<br>
 
[https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project OWASP HTML sanatiser Project]<br>
 
[https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]
 
[https://www.owasp.org/index.php/OWASP_JSON_Sanitizer OWASP JSON Sanitizer Project]
 +
 +
ESAPI javascript escaping can be call in this manner:
 +
    String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );

Revision as of 08:14, 21 October 2013

Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.

Examples of exploitation points (sinks) which are worth reviewing for:

    <script>var currentValue='UNTRUSTED DATA';</script> 
    <script>someFunction('UNTRUSTED DATA');</script> 
    attack: ');/* BAD STUFF */
    


Potential solutions:

OWASP HTML sanatiser Project
OWASP JSON Sanitizer Project

ESAPI javascript escaping can be call in this manner:

    String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );