CRV2 ContextEncJscriptParams

Revision as of 08:10, 21 October 2013 by EoinKeary (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.

Examples of exploitation points (sinks) which are worth reviewing for:

    <script>var currentValue='UNTRUSTED DATA';</script> 
    <script>someFunction('UNTRUSTED DATA');</script> 
    attack: ');/* BAD STUFF */

Potential solutions:

OWASP HTML sanatiser Project
OWASP JSON Sanitizer Project